DATA PROTECTION
EU Court of Justice: Member States may allow consumer protection associations to bring representative actions against infringements of the protection of personal data.
In Germany, the Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (Federation of German Consumer Organisations, ‘the Federation’) complains that Facebook Ireland infringed, in the context of making available in the ‘App Zentrum’ (App Centre) of the platform free games supplied by third parties, rules on the protection of personal data, on combatting unfair competition and on consumer protection. In that context, the Federation brought an action before the German courts for an injunction against Facebook Ireland. According to the Bundesgerichtshof (Federal Court of Justice, Germany), Facebook Ireland has not provided to users (in a concise, transparent, intelligible and easily accessible form, using clear and plain language) the necessary information relating to the purposes of the processing of the data and the recipient of the personal data. Thus, in its view, Facebook Ireland infringed the General Data Protection Regulation.
However, the Bundesgerichtshof has doubts as to whether the Federation’s action was admissible. It questions whether a consumer protection association, such as the Federation, still has, since the entry into force of the General Data Protection Regulation, standing to bring proceedings, by lodging an action before the civil courts, against infringements of that regulation, independently of an actual infringement of the rights of individual data subjects and without being mandated by them. It observes, inter alia, that it may be inferred from the fact that the General Data Protection Regulation confers on the supervisory authorities extended supervisory and investigative powers and the power to adopt corrective measures that it is primarily for those authorities to oversee the application of the provisions of that regulation. Therefore, the Bundesgerichtshof asked the Court of Justice to interpret the General Data Protection Regulation.
Advocate General Jean Richard de la Tour proposes that the Court interpret the General Data Protection Regulation as meaning that that it does not preclude national legislation which allows consumer protection associations to bring legal proceedings against the person alleged to be responsible for an infringement of the protection of personal data, on the basis of the prohibition of unfair commercial practices, the infringement of a law relating to consumer protection or the prohibition of the use of invalid general terms and conditions, provided that the objective of the representative action in question is to ensure observance of the rights which the persons affected by the contested processing derive directly from that regulation.
The Advocate General notes that, in its judgment in Fashion ID, the Court ruled, in relation to Directive 95/46, 4 which preceded the General Data Protection Regulation, on a similar question. It ruled that that directive does not preclude national legislation which allows consumer protection associations to bring legal proceedings against a person allegedly responsible for an infringement of the protection of personal data. The Advocate General considers that neither the fact that Directive 95/46 has been replaced by a regulation nor the fact that Regulation 2016/679 now devotes one article to the representation of data subjects in legal proceedings are capable of calling in question what the Court decided in that judgment. In his view, the Member States may still provide for the possibility for certain entities to bring – without a mandate from the data subjects and without there being a need to claim the existence of actual cases affecting named individuals – representative actions designed to protect the collective interests of consumers, provided that an infringement of the provisions of that regulation which are intended to confer subjective rights on data subjects is alleged. That is indeed the case of the action for an injunction brought by the Federation against Facebook Ireland.
The Advocate General also considers that the General Data Protection Regulation does not preclude national provisions which authorise a consumer protection association to bring an action for an injunction in order to ensure compliance with the rights conferred by that regulation by means of rules designed to protect consumers or to combat unfair commercial practices. Such rules may contain provisions similar to those contained in that regulation, in particular with regard to providing information to data subjects about the processing of their personal data. Consequently, the infringement of a rule relating to the protection of personal data may at the same time entail the infringement of rules relating to consumer protection or unfair commercial practices. According to the Advocate General, the defence of the collective interests of consumers by associations is particularly suited to the objective of the General Data Protection Regulation of establishing a high level of personal data protection.
(Source: EU Court of Justice's Press Release no. 216 as of December 2nd, 2021 - Author and Ownership of the contents: EU Court of Justice).
However, the Bundesgerichtshof has doubts as to whether the Federation’s action was admissible. It questions whether a consumer protection association, such as the Federation, still has, since the entry into force of the General Data Protection Regulation, standing to bring proceedings, by lodging an action before the civil courts, against infringements of that regulation, independently of an actual infringement of the rights of individual data subjects and without being mandated by them. It observes, inter alia, that it may be inferred from the fact that the General Data Protection Regulation confers on the supervisory authorities extended supervisory and investigative powers and the power to adopt corrective measures that it is primarily for those authorities to oversee the application of the provisions of that regulation. Therefore, the Bundesgerichtshof asked the Court of Justice to interpret the General Data Protection Regulation.
Advocate General Jean Richard de la Tour proposes that the Court interpret the General Data Protection Regulation as meaning that that it does not preclude national legislation which allows consumer protection associations to bring legal proceedings against the person alleged to be responsible for an infringement of the protection of personal data, on the basis of the prohibition of unfair commercial practices, the infringement of a law relating to consumer protection or the prohibition of the use of invalid general terms and conditions, provided that the objective of the representative action in question is to ensure observance of the rights which the persons affected by the contested processing derive directly from that regulation.
The Advocate General notes that, in its judgment in Fashion ID, the Court ruled, in relation to Directive 95/46, 4 which preceded the General Data Protection Regulation, on a similar question. It ruled that that directive does not preclude national legislation which allows consumer protection associations to bring legal proceedings against a person allegedly responsible for an infringement of the protection of personal data. The Advocate General considers that neither the fact that Directive 95/46 has been replaced by a regulation nor the fact that Regulation 2016/679 now devotes one article to the representation of data subjects in legal proceedings are capable of calling in question what the Court decided in that judgment. In his view, the Member States may still provide for the possibility for certain entities to bring – without a mandate from the data subjects and without there being a need to claim the existence of actual cases affecting named individuals – representative actions designed to protect the collective interests of consumers, provided that an infringement of the provisions of that regulation which are intended to confer subjective rights on data subjects is alleged. That is indeed the case of the action for an injunction brought by the Federation against Facebook Ireland.
The Advocate General also considers that the General Data Protection Regulation does not preclude national provisions which authorise a consumer protection association to bring an action for an injunction in order to ensure compliance with the rights conferred by that regulation by means of rules designed to protect consumers or to combat unfair commercial practices. Such rules may contain provisions similar to those contained in that regulation, in particular with regard to providing information to data subjects about the processing of their personal data. Consequently, the infringement of a rule relating to the protection of personal data may at the same time entail the infringement of rules relating to consumer protection or unfair commercial practices. According to the Advocate General, the defence of the collective interests of consumers by associations is particularly suited to the objective of the General Data Protection Regulation of establishing a high level of personal data protection.
(Source: EU Court of Justice's Press Release no. 216 as of December 2nd, 2021 - Author and Ownership of the contents: EU Court of Justice).
