Out-Law / Your Daily Need-To-Know

EU law on representative data protection class actions clarified

Out-Law News | 06 May 2022 | 9:51 am | 3 min. read

Consumer protection associations can raise class action-style lawsuits on behalf of data subjects without first needing to get their consent to do so under EU data protection laws, the EU’s highest court has ruled.

In a recent judgment, the Court of Justice of the EU (CJEU) said that the General Data Protection Regulation (GDPR) does not preclude national legislation being implemented in EU member states that provides consumer protection associations with a right to pursue data protection claims on a representative basis, without a mandate from the individuals they profess to represent, where those associations believe there is a link between data processing practices and alleged non-compliance with consumer protection laws.

The CJEU was invited to rule on the issue by a court in Germany which has been considering whether a representative action brought by the Federal Union of Consumer Organisations and Associations in Germany against Meta is admissible.

The Federal Union has taken issue with data sharing enabled through Facebook’s app centre, alleging infringement of data protection laws in Germany in a way that constitutes an unfair commercial practice, an infringement of consumer protection law and a breach of the prohibition of the use of invalid general terms and conditions. Meta has disputed the claims.

The Federal Court of Justice in Germany asked for the CJEU’s help in interpreting EU law after it determined that it was not clear whether the Federal Union has legal standing, under the GDPR, to pursue the case against Meta. The Federal Union has sought to pursue the claims without a mandate from the data subjects it seeks to represent.

In considering how the GDPR should be interpreted, the CJEU particularly focused on the wording of Article 80 of the Regulation, which addresses representation of data subjects.

Article 80(1) effectively provides for an ‘opt-in’ system of data protection representative actions in the EU. It states that data subjects can mandate not-for-profit bodies, organisations or associations that fulfil certain criteria to lodge a complaint on their behalf, to pursue claims against regulators, controllers or processors before the courts on their behalf, and to exercise the right to receive compensation on their behalf.

Article 80(2) provides EU member states with the option of going beyond the ‘opt-in’ framework. It gives EU member states scope to enable not-for-profit bodies, organisations or associations that meet the relevant criteria with a right, independent of a data subject’s mandate, to lodge complaints or pursue claims if those bodies consider that the rights data subjects enjoy under the GDPR have been infringed as a result of the way their personal data has been processed.

The CJEU reflected on the fact that the GDPR requires in some areas, and empowers in others, EU member states to supplement or derogate from the Regulation. It said it is within the discretion afforded to member states under the GDPR to legislate in respect of data protection representative actions under Article 80(2).

One of the main issues that the CJEU deliberated over was whether consumer protection associations have standing to bring representative actions under the GDPR where the infringement of data protection laws they are alleging gives rise to potential claims under consumer protection law.

The CJEU said that the GDPR does not preclude national laws that enable consumer protection associations to raise representative actions citing non-compliance with consumer protection laws where the underlying concern relates to the way individuals’ personal data has been processed.

In answer to the specific question referred to it by the Federal Court of Justice, the CJEU said: “Article 80(2) … must be interpreted as not precluding national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data, on the basis of the infringement of the prohibition of unfair commercial practices, a breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions, where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation.”

According to the CJEU, consumer protection associations do not need to “carry out a prior individual identification of the person specifically concerned by data processing that is allegedly contrary to the provisions of the GDPR” to be eligible for bringing a representative action. It said it is open to consumer protection associations to simply refer to individuals they wish to represent by indirect identifiers, such as location data. In such cases the associations can designate a category or group of individuals they profess to represent.

The CJEU further clarified that consumer protection associations do not need to specify the existence of a specific infringement of data subject rights under the GDPR to raise a representative action. It is sufficient for them to merely “consider” that data subjects’ rights have been infringed by virtual of the way their personal data has been processed, the court said.

“It follows that, in order to recognise that such an entity has standing to bring proceedings under that provision, it is sufficient to claim that the data processing concerned is liable to affect the rights which identified or identifiable natural persons derive from that regulation, without it being necessary to prove actual harm suffered by the data subject, in a given situation, by the infringement of his or her rights,” the CJEU said.