Lawsuits by associations for breaches of the GDPR?

The Federal Supreme Court (BGH) recently had to deal with the question of whether national consumer associations may also sue in the case of violations of the General Data Protection Regulation (GDPR). Since the BGH had doubts with regard to the admissibility of a corresponding action, it submitted the question to the European Court of Justice (ECJ) for a decision (C-319/20). It is obvious that the issue is not only dogmatically interesting. A corresponding right of action of consumer associations can have an enormous impact on data protection practice for companies. In this respect, one only has to think of social media platforms or web shops as well as comparable companies that regularly process personal data of a large number of data subjects. Since the users of such platforms/webshops are regularly consumers, the interest of consumer associations is also understandable. However, such a practice is not new. With regard to the Data Protection Directive 95/46/EC, the Federal Court of Justice had already affirmed that consumer associations have standing to sue. The opinion of Advocate General Jean Richard De La Tour was therefore all the more eagerly awaited.

What is the case about?

The Federation of German Consumer Organisations “Verbraucherzentrale Bundesverband e.V.” (hereinafter referred to as "Bundesverband") accuses Facebook Ireland Limited of a violation of the legal provisions on the protection of personal data, which in the view of the Bundesverband constitutes at the same time an unfair business practice, a violation of a consumer law and a violation of the prohibition of the use of ineffective general terms and conditions. On the internet platform Facebook there is an "App Centre" where users of the platform can, among other things, take advantage of free games from third-party providers. When calling up the various games, a series of information appears under the button "Play now", in which the user is informed that the game operator receives a series of personal data of the user in the event that his game is claimed. In the case of the game "Scrabble", information is also provided that the game operator may post images, texts and other information on behalf of the user. By using the game, the user agrees to the General Terms and Conditions of the application as well as its data protection information.

In particular, the Federal Association objects to the presentation of the notices given under the "Play Now" button in the "App Centre" as unfair and also complains about the non-compliance with the legal requirements for obtaining an effective consent of the user under data protection law. Furthermore, the Federal Association considers the final notice when calling up the game "Scrabble" to be an unreasonably disadvantageous general business condition for the user. The Federal Association is registered in Germany in the list of qualified institutions pursuant to Section 4 of the Act on Actions for Injunctions in the Event of Consumer Rights and Other Infringements (UKlaG) and is entitled pursuant to Section 3 (1) UKlaG to sue for injunctive relief, revocation and removal in the event of infringements of so-called consumer protection laws.

What is the legal question?

The BGH is now asking the ECJ to interpret Article 80(2) of the GDPR, since the action of the Federal Association is not based on an order of a data subject. The norm literally states:

„Member States may provide that any body, organisation or association referred to in paragraph 1 of this Article, independently of a data subject's mandate, has the right to lodge, in that Member State, a complaint with the supervisory authority which is competent pursuant to Article 77 and to exercise the rights referred to in Articles 78 and 79 if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing.”

Article 80(1) of the GDPR, on the other hand, contains a provision that allows certain "not-for-profit body[s], organization[s] or association[s]" to claim violations of the GDPR on behalf of data subjects. In the present case, the BGH is seeking in particular a declaration as to whether the applicability of Article 80(2) of the GDPR is precluded by the fact that the infringements complained of by the Federal Association also concern other provisions of EU and national law, in particular in the field of consumer protection law and the fight against unfair commercial practices.

What does the Advocate General say?

The Advocate General has now made the following proposal to the ECJ in his Opinion:

“Article 80(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that it does not preclude national legislation which allows consumer protection associations to bring legal proceedings against the person alleged to be responsible for an infringement of the protection of personal data, on the basis of the prohibition of unfair commercial practices, the infringement of a law relating to consumer protection or the prohibition of the use of invalid general terms and conditions, provided that the objective of the representative action in question is to ensure observance of the rights which the persons affected by the contested processing derive directly from that regulation.”

According to the Advocate General, the protection of collective consumer interests is precisely in line with the purpose of the GDPR to create a high level of protection for personal data. It should be emphasised at this point that - according to the Advocate General - only the existence of a processing of personal data in breach of the provisions of the GDPR is required in order to comply with the requirements of Article 80(2) of the GDPR. A corresponding action must therefore be based solely on the infringement of such rights that may accrue to a natural person as a result of a processing of his or her personal data under the GDPR.

What decision of the ECJ can be expected?

Although the Advocate General's opinion is not binding on the ECJ's decision, there is a tendency for the Court of Justice to regularly follow the legal opinion expressed there. We therefore expect that the ECJ will also position itself in such a way that the action of the Federal Association will be considered admissible. For companies, this means even more: Compliance with the requirements of the GDPR is not a mere formalism, but can lead to considerable sanctions and legal consequences in the event of a breach. If the "counterpart" is also a consumer association, this has a clear impact on the economic imbalance, which regularly makes affected parties refrain from legal remedies.

The final decision of the ECJ is expected in a few months.

This article was written with the kind assistance of trainee lawyer Marius Drabiniok.