In this case, the German Federal Court of Justice (the “Court”) sought a preliminary ruling in a proceeding initiated by the Federation of German Consumer Organizations regarding infringement of the German legislation on the protection of personal data. Specifically, the Court asked the CJEU whether Article 80, par. 2 GDPR precludes consumer protection associations like the Federation of German Consumer Organizations from bringing proceedings against infringement of GDPR provisions that might also result in the infringement of consumer rights and unfair commercial practices, independently of any actual infringement of the rights of individual data subjects and without being mandated by them.
Under Article 80, para. 2 GDPR, each EU Member State may grant certain bodies, organizations, and associations[2] the right to file a complaint with the competent supervisory authority or the competent judicial authority, even in the absence of a mandate from a data subject, if it determines that the rights of a data subject covered under the GDPR have been infringed in the context of personal data processing. Therefore, according to the Advocate General, Article 80, para. 2 GDPR does not preclude national legislations from allowing consumer protection associations to bring representative actions for infringement of personal data protection, provided that such representative actions are intended to ensure respect for the rights established under the GDPR.
In reaching his conclusion, the Advocate General went beyond the reasoning of the CJEU in Fashion ID,[3] a case in which the CJEU interpreted EU Directive 95/46, subsequently repealed by the GDPR in 2016. Notably, in that judgment, the CJEU found that EU Directive 95/46 neither required Member States to provide in their national laws that consumer protection associations could represent data subjects in legal proceedings or launch legal proceedings under their own initiative for infringement of the rules on personal data protection nor precluded them from doing so. According to the Advocate General, neither the fact that the EU Directive 95/46 has been replaced by the GDPR, nor the fact that the GDPR now contains an article (Article 80) dedicated to the representation of data subjects in legal proceedings can be relied upon to call into question the ruling of the CJEU in Fashion ID.
Furthermore, the Advocate General suggested that the CJEU should not interpret Article 80, para. 2 GDPR restrictively, as meaning that to bring a legal action for infringement of personal data protection, an association first must identify one or more persons affected by the unlawful processing. Indeed, based on Article 4 GDPR, which describes a data subject as an “identified or identifiable natural person,” the Advocate General concluded that the only requirement for bringing legal action pursuant to Article 80, par. 2 GDPR is to show that the provisions of the GDPR designed to protect the subjective rights of data subjects (even data subjects who remain unidentified) have been infringed. Therefore, according to the Advocate General, Article 80, par. 2 GDPR does not preclude Member States from providing certain authorized entities (e.g., consumer protection associations) the opportunity to bring representative action without a mandate from data subjects, as the Federation of German Consumer Organizations did in the proceeding in question.
[1] Opinion of the Advocate General Richard de la Tour on Facebook Ireland Limited v. the Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (Federation of German Consumer Organizations) (Case C-319/20).
[2] Nonprofit bodies, organizations, or associations properly constituted in accordance with the law of that Member State, with statutory objectives in the public interest, and active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data.
[3] European Court of Justice, Fashion ID (Case C-40/17).
