An opinion by Advocate General of the Court of Justice of the European Union (CJEU) Richard de la Tour might provide some clarity regarding the question who can bring General Data Protection Regulation (GDPR) claims to civil courts. Advocate General Richard de la Tour proposed that national legislation may allow consumer protection associations to bring GDPR claims in the collective interest of individuals, irrespective of an actual infringement of the data subjects’ rights and without being mandated by them. Hence, it is getting even more important for your company to ensure that any data processing is GDPR-compliant.
Data subject rights under the GDPR
To ensure an effective protection of data, the GDPR provides individuals with a set of rights:
- The rights to be informed (e.g. Art. 13 GDPR)
- The right to access (Art. 15 GDPR)
- The right to rectification (Art. 16 GDPR)
- The right to erasure (Art. 17 GDPR)
- The right to restrict processing (Art. 18 GDPR)
- The right to data portability (Art. 20 GDPR)
- The right to object (Art. 21 GDPR)
- The right to not be subject to a decision based solely on automated processing (Art. 22 GDPR).
If a data subject believes that the processing of their personal data is not compliant to the GDPR, Art. 77 GDPR provides them with the right to turn to the supervisory authorities. In addition, claims for damages and injunctive relief can be brought to civil courts.
Data subject claims are on the rise
A survey conducted by European Data Protection Board (EDPD) showed that the number of data subjects exercising their right under Art. 77 GDPR increases year by year. To keep up with the rising number of claims and corresponding increase in proceedings, the authorities have access to more resources as well.
Moreover, consumer organisations are increasingly taking action against companies that do not comply with the requirements of the GDPR. A popular example is privacy advocate Max Schrems’ organisation noyb, which issued hundreds of complaints against companies using non-compliant cookie banners.
The Advocate General’s Opinion
Consumer associations might now even be able to bring cases to court on behalf of data subjects.
The CJEU must soon decide whether the GDPR precludes national law that allows consumer groups to bring GDPR claims to civil courts irrespective of the infringement of specific rights of individual data subjects and without being mandated by the data subjects. The question has been referred by the German Federal Court of Justice regarding a case brought against Facebook Ireland. According to the German Federal Court of Justice, Facebook Ireland violated the GDPR by failing to provide users with the required information about the purpose of the data processing and the recipient of the personal data in a concise, transparent, understandable and easily accessible manner in clear and simple terms. However, the court was in doubt about the admissibility of the case, as it was not filed by affected individuals but rather by the German Federation of Consumer Organizations.
In his opinion on 2 December 2021, Advocate General Richard de la Tour proposed to answer the question as follows: Article 80 (2) GDPR
“must be interpreted as meaning that it does not preclude national legislation which allows consumer protection associations to bring legal proceedings against the person alleged to be responsible for an infringement of the protection of personal data, on the basis of the prohibition of unfair commercial practices, the infringement of a law relating to consumer protection or the prohibition of the use of invalid general terms and conditions, provided that the objective of the representative action in question is to ensure observance of the rights which the persons affected by the contested processing derive directly from that regulation.“
Thus, in his view, Member States may allow certain entities to bring representative actions to protect the collective interests of consumers (or data subjects) – even without the need to claim the existence of specific cases involving named individuals and without being mandated by the data subjects – provided that a violation of the provisions of the Regulation (e.g., the GDPR) intended to grant subjective rights to data subjects is alleged.
He reasoned that the defence of the collective interests of consumers by consumer associations is particularly suitable to achieve the objective of the GDPR to provide a high level of protection of personal data.
Meaning of the opinion
If the CJEU adopts the interpretation proposed by Advocate General Richard de la Tour, this could significantly increase claims against incompliant data processing. Even though the Advocate General’s opinion is not binding for the CJEU, the court has historically tended to follow the Advocate General’s legal opinions.
This interpretation of the GDPR would also address the imbalance of power between data-processing companies and data subjects. While individuals usually have limited resources and thus often refrain from appealing against decisions, consumer associations often have more resources to ensure that consumer rights are enforced.
Ultimately, this proposed interpretation, combined with the rising number of claims by individuals as well as the increase of authority resources and the tendency to impose higher fines (see e.g. fines against WhatsApp and Amazon), should remind your company to ensure compliance with the requirements of the GDPR and to regularly review your compliance.