A ruling by the Court of Justice of the European Union confirming consumer groups have a right to file representative actions over alleged EU General Data Protection Regulation violations, when permitted under national law, unblocks dozens of cases and puts an end to a lingering enforcement question.

The court’s April 28 judgment allows consumer protection organizations to autonomously bring forward lawsuits on behalf of consumers against an individual or entity claimed to be responsible for “an infringement of the laws protecting personal data.”

While consumer protection advocates welcome the ruling as positive for consumers and consumer groups, the CJEU’s decision comes just one year ahead of the application of the EU’s Representative Actions Directive, which will enable consumer groups in all EU countries to launch injunctions or collective redress claims when certain criteria is met. Together, the moves signal what could be an increase in collective redress actions in the EU, centering around GDPR enforcement and consumer protection.

“All together, this case has not revolutionized the understanding of the GDPR or the enforcement under it, but it does clarify what NGO’s can and cannot do. It is important in the sense that there are still a lot of questions around procedure involving GDPR enforcement, so obviously having this clarification is extremely valuable,” Access Now’s Europe Legislative Manager and Global Data Protection Lead Estelle Massé said. “We’re getting, I think, clarification in the first years of GDPR. So, it’s sort of a continuation of the enforcement story with this case.”

The Federation of German Consumer Organisations (vzbv) filed the lawsuit against Facebook Ireland, now Meta Platforms Ireland, that led to the CJEU’s April ruling. The vzbv alleged Meta infringed on personal data and consumer protection rules by making free games from third-party entities available in its “App Center.” Court documents say some of the games enabled the company to obtain and publish personal data on behalf of a user, while one game in particular informed users it had permission to post photos and other information on their behalf. The vzbv called those actions "unfair." 

The case ultimately made its way to the Federal Court of Justice, which referred the question to the CJEU with doubts as to whether the consumer organization had standing to bring forward claims on behalf of individual data subjects, without a consumer's mandate to do so. 

The CJEU outlined its determination that a consumer protection association “falls within the scope of the concept of a ‘body that has standing to bring proceedings’ for the purposes of the GDPR in that it pursues a public interest objective consisting in safeguarding the rights of consumers,” adding an infringement on consumer protection regulations and unfair commercial practices “may be related to the infringement of a rule on the protection of personal data.” The court also noted Article 80 of the GDPR allows Member States “to provide for a representative action mechanism against the person allegedly responsible for an infringement of the laws protecting personal data.”

The court said its interpretation “is consistent with the objective pursued by the GDPR consisting in, in particular, ensuring a high level of protection of personal data,” and “undoubtedly contributes to strengthening the rights of data subjects and ensuring that they enjoy a high level of protection.”

The vzbv called the decision “a landmark ruling” that “significantly strengthened the legal standing of consumer associations,” while a Meta spokesperson said the case “showed there were some open questions” and the company “will review the decision and assess its implications.”

“It is an open secret that some European data protection authorities are not quite able to cope with the escalating data collection of the big technology companies. In the past, this enforcement deficit increasingly gnawed at the acceptance of the GDPR,” vzbv board member Jutta Gurkmann said in a press release. The decision, she said, “puts an end to the tiresome debate about consumer associations’ right to sue for data protection. Because now it is clear: In addition to the supervisory authorities, civil society organizations such as the vzbv can also punish violations of the GDPR to a very large extent.”

BEUC Senior Legal Officer, Team Leader David Martin said the CJEU’s decision unblocks more than 20 GDPR-related cases, which he described as “major cases against other big platforms” planned by the vzbv, a member of the BEUC. The vzbv did not return a request for comment on the CJEU’s decision.

“Even if you already had this interpretation of the law and in itself it doesn’t change your understanding, it is still very positive to have it confirmed and also to have those cases that were blocked until this was confirmed be able to move forward. That doesn’t mean all cases will be decided in favor of the consumer, but to be able to be decided on is very important,” Massé said. “Having the jurisprudence being built on data protection is extremely important.”

While in the short-term the decision clarifies consumer organizations can act on behalf of consumers when certain criteria is met, in the long-term under the Representative Actions Directive, Martin pointed out, “this will be a possibility all across Europe.”

“In all member states, qualified entities and consumer organizations will be able to use all the instruments that are included in the Representative Actions Directive, including injunctions and collective redress” when a company is believed to have violated one of several EU laws, including the GDPR, he said. “So, they’ll be able to take up representative actions on the basis of claiming GDPR infringements.”

The directive, which was entered into force on Dec. 24, 2020, comes into application starting June 25, 2023. EU Member States have until January 2023 to put in place at least one procedural mechanism allowing for injunction or redress by qualified entities, such as consumer organizations or public bodies, and then the additional six months to apply it.

The directive states only qualified entities will be able to represent groups of consumers and will have to demonstrate their status as a stable and publicly active non-profit organization.

Martin said both the CJEU decision and the Representative Actions Directive are important steps in data protection that are beneficial for consumers and consumer organizations.

“This private enforcement element is really crucial,” he said. “We really hope it is going to be bringing positive things and is going to improve enforcement of and compliance with the GDPR.”

Photo by Kelly Sikkema on Unsplash