Cordery

Legal.Compliance.

European Court Rules Class-Action Data Protection Claim Can Be Brought By Consumer Organizations Without Individual Mandate To Do So

Introduction

Claims before domestic courts in both the UK and EU countries for compensation for alleged data protection violations continue to be brought.

In a recent ruling the European Court decided in the case of Meta Platforms Ireland Limited, formerly Facebook Ireland Limited -v- Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V (Case C-319/20) that EU consumer associations can bring class-action style claims (called “representative actions” in EU-speak) concerning data protection infringements without being mandated to do so by individuals. This article briefly highlights the key points in the case.

What’s this all about?

The Federal Union of Consumer Organizations and Associations (the “FUCOA”) in Germany brought a case in a German court seeking an injunction against Meta Platforms Ireland (“Meta” – formerly Facebook Ireland Limited, the controller of the personal data of users of the online social network Facebook in the EU), alleging that it had infringed, in the context of making available to users free games provided by third parties, rules on: the protection of personal data protection; the combat of unfair commercial practices (where businesses make misleading claims to consumers e.g. falsely claiming that a product can cure illnesses, or businesses make aggressive claims to consumers e.g. creating a false impression that a consumer has won a prize when in fact there isn’t one); and, consumer protection.

When consulting the App Center of some of those games, an indication appears informing the user that the use of the application enables the gaming company to obtain a certain amount of personal data and, by that use, permission is given for it to publish data on behalf of that user. That use implies that the user accepts the general terms and conditions of the application and its data protection policy.

The FUCOA considered that the information provided by the games concerned in the App Center to be unfair, in particular in terms of the failure to comply with legal requirements which apply to obtaining valid consent from the user under data protection rules. Consequently the FUCOA brought an action for an injunction before the Regional Court of Berlin in Germany, which it brought independently of a specific infringement of a data subject’s right to protection of his or her data and without being mandated to do so by such a person. The Berlin court ruled against Meta who then appealed this decision, which was dismissed, following which an appeal on a point of law was brought and eventually a question for a preliminary ruling about the interpretation of EU GDPR was made by the German Federal Court of Justice to the Court of Justice of the European Union (“the European Court”).

The European Court was asked whether, following the entry into force of EU GDPR, a consumer protection association, such as the FUCOA, had standing to bring proceedings in the civil courts against infringements of EU GDPR, independently of the specific infringement of rights of individual data subjects and without being mandated to do so by those data subjects.

What did the court rule?

The court ruled as follows:

  • EU GDPR does not preclude national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data;
  • Some provisions of EU GDPR make it possible for EU countries to lay down additional rules which leave them a margin of discretion as to the manner in which those provisions may be implemented, provided that the national rules adopted do not undermine the content and objectives of EU GDPR. In that regard, EU countries also have the option to provide for a representative action mechanism against the person allegedly responsible for an infringement of data protection laws, while setting out a number of requirements which must be complied with;
  • A consumer protection association, such as the FUCOA, falls within the scope of the concept of a “body that has standing to bring proceedings” for the purposes of EU GDPR in that it pursues a public interest objective consisting in safeguarding the rights of consumers; the infringement of the rules on consumer protection and unfair commercial practices may be related to the infringement of a rule on the protection of personal data;
  • The bringing of a representative action presupposes that such a consumer association, independently of any mandate conferred on it, “considers” that the rights of a data subject laid down in EU GDPR have been infringed as a result of the processing of his or her personal data, without it being necessary to identify, individually and beforehand, the person specifically concerned by that processing and to allege the existence of a specific infringement of the rights deriving from data protection rules; and,
  • Finally, EU GDPR does not preclude national provisions which provide for bringing representative actions against infringements of the rights conferred by EU GDPR through, as the case may be, rules intended to protect consumers or combat unfair commercial practices.

The case will now return to the German national court, which has already indicated that the case is well-founded in substance.

What are the takeaways?

The European Court’s ruling is expected to either help start new claims or give momentum to a number of existing claims in some EU countries, notably Germany (the FUCOA is quite litigious) and Austria.  Big tech companies may be the expected targets.

The ability for consumer protection organizations to bring data protection infringement claims will also be enhanced under the EU Representative Action (i.e. class-action) Directive, which must be implemented by EU countries into their national law by 25 December 2022 – the rules must be applied from 25 June 2023.

Compensation claims alleging data protection infringements against organizations continue to be on the rise – don’t rest on your laurels and instead stay sharp. Considerations for businesses including the following:

  • Make staff and the Board aware of both individual and class-action claim risks for alleged data protection breaches;
  • Set up and undertake regular compliance audits or reviews in order to identify, rectify and prevent issues that could involve either an individual claim or a class-action claim;
  • Check the liability provisions in vendor agreements and revise them where appropriate;
  • Consider looking into insurance cover issues; and,
  • If you are on the receiving end of a claim ensure that you act fast! Using specialist lawyers to help you will likely be essential in defending the claim.

 

More information

Our FAQs about EU representative action/class-action rules can be found here https://www.corderycompliance.com/eu-class-action-faqs/

We have reported on data protection claims issues recently here https://www.corderycompliance.com/thebountycase/, and here  https://www.corderycompliance.com/ali-v-luton-rogue-employee/ and here https://www.corderycompliance.com/dp-infringement-stadler-currys/ and here https://www.corderycompliance.com/damages-minor-dp-infringement/ and here https://www.corderycompliance.com/lloyd-v-google-ruling/.

We report about data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/.

For information about our Cordery GDPR Navigator tool please see http://www.corderycompliance.com/solutions/cordery-gdpr-navigator/

The European Court’s ruling can be found here https://curia.europa.eu/juris/document/document.jsf?text=&docid=258485&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=7257807

For more about GDPR please also see our GDPR FAQs which can be found here:  http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.

For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784 Office: +44 (0)207 075 1785
Jonathan.armstrong@corderycompliance.com Andre.bywater@corderycompliance.com
 

 

Contact a Cordery Specialist +44(0)207 118 2700 | Contact Us

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom

Cordery Compliance Limited trading as Cordery provides some products and services which are not regulated by the Solicitors Regulation Authority; we will clearly state this to you if this is the case.

We use the word “partner” to refer to a shareowner or director of the company, or an employee or consultant who is a lawyer with equivalent standing and qualifications.

Cordery is a registered trademark of RELX (UK) Limited, used under license. The Knowledge Burst logo is a registered trademark of Reed Elsevier Properties Inc., used under license.

Copyright © 2021 Cordery. All rights reserved.