Consumer associations can bring GDPR cases to court without demonstrating a specific violation of individual rights

In its judgment of 28 April 2022 the Court of Justice of the European Union (CJEU) confirmed that national legislation may allow consumer associations to bring General Data Protection Regulation (GDPR) claims in the collective interest of consumers to court, without being mandated by individuals, and irrespective of a specific, identified violation of data subject rights.

This CJEU ruling will enable better enforcement of data subject rights under the GDPR, and is therefore, an important step towards an even more comprehensive protection of personal data in the European Union (EU). It could lead to a wave of legal claims by consumer associations as these usually have more resources to pursue lawsuits than individuals. For companies the decision should be a reminder of the importance of GDPR compliance.

Data subject rights under the GDPR and how they can be exercised

To ensure an effective protection of data, the GDPR provides individuals with a comprehensive set of rights, in particular the right to:

  1. be informed (e.g., Art. 13 GDPR);
  2. access (Art. 15 GDPR);
  3. rectification (Art. 16 GDPR);
  4. erasure (Art. 17 GDPR);
  5. restrict processing (Art. 18 GDPR);
  6. data portability (Art. 20 GDPR);
  7. object (Art. 21 GDPR);
  8. not be subject to a decision based solely on automated processing (Art. 22 GDPR);
  9. lodge a complaint with a supervisory authority (Art. 77 GDPR);
  10. an effective judicial remedy against a supervisory authority (Art. 78 GDPR);
  11. an effective judicial remedy against a controller or processor (Art. 79 GDPR);
  12. compensation and liability (Art. 82 GDPR).

If a data subject believes processing of their personal data is not compliant with the GDPR, Art. 77 GDPR provides them with the right to turn to the supervisory authorities. In addition, claims for damages and injunctive relief can be brought to civil courts. Thereby, Art. 80 (1) GDPR provides for the right to mandate certain non-profit entities to exercise the data subjects’ rights for them.

In addition, Art. 80 (2) GDPR stipulates that national law may allow these entities to bring claims to supervisory authorities and courts without being mandated by a data subject, “if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing”.

Data subjects also increasingly make use of these possibilities to exercise their data subject rights. A survey conducted by European Data Protection Board (EDPD) showed that the number of data subjects exercising their right under Art. 77 GDPR increases year by year. To keep up with the rising number of claims, and corresponding increase in proceedings, the authorities have been given access to more resources as well.

In addition, more and more consumer organisations are taking action against companies that do not comply with the requirements of the GDPR. A popular example is privacy advocate Max Schrems’ organisation noyb, which issued hundreds of complaints against companies using non-compliant cookie banners.

Current judgements on the GDPR

Read our regular reviews of data protection law rulings to stay up to date!

The background of the CJEU ruling

In its judgment, the CJEU had to decide whether the GDPR precludes national law that allows consumer groups to bring GDPR claims to civil courts without being mandated by the data subjects, and irrespective of a specific infringement of data subject rights. The question had been referred by the German Federal Court of Justice regarding a case brought against Facebook Ireland. According to the German Federal Court of Justice, Facebook Ireland violated the GDPR by failing to provide users with the required information about the purpose of the data processing and the recipients of the personal data in a concise, transparent, understandable, and easily accessible manner and in clear and simple terms. However, the court was in doubt about the admissibility of the case, as the action was brought by the Verbraucherzentrale Bundesverband e.V. (German Federation of Consumer Organisations) without regard to a specific violation of data subject rights and without a mandate from a specific data subject. Indeed, German law allowed consumer associations to bring actions for alleged infringements of data subject rights. The main question of the case was, therefore, whether Art. 80 (2) GDPR precludes such a national law. This would have been the case, if Art. 80 (2) GDPR were to be interpreted as meaning that a national law may only allow representative actions if a specific violation of data subject’s rights is demonstrated.

The CJEU ruling

In its judgment, the CJEU decided that Art. 80 (2) GDPR does not preclude national law allowing consumer groups to bring GDPR claims to court without being mandated by data subjects and irrespective of the infringement of specific data subject rights. The court reasoned that, given the purposes of a representative action, it cannot be required that the association bringing the action identifies the specific data subject affected by an alleged data protection breach in advance. According to Art. 4 No. 1 GDPR, data subjects do not only include persons already identified, but also identifiable natural persons. Therefore, it is sufficient if a category or group of persons affected by the allegedly unlawful data processing is named (para. 68 of the decision). Moreover, Art. 80 (2) GDPR requires that the respective association “considers” data subject rights to be violated. Therefore the court argued that its wording does not require a specific violation of individual rights (para. 71 of the decision). Ultimately, the court argued that representative actions enable the prevention of numerous infringements of data subject rights and, therefore, could be more effective than individual lawsuits (para. 71 of the decision).

Significance of the judgment

This interpretation of the GDPR addresses the imbalance of power between companies processing data and data subjects. While individuals usually have limited resources and thus often refrain from appealing against decisions, consumer associations often have more resources to ensure that consumer rights are enforced. The CJEU ruling is an important step towards a more comprehensive protection of personal data. The CJEU decision is also consistent with the EU Directive on Representative Actions, which was introduced on 4 December 2020. This Directive will allow consumer associations in the EU to bring injunctions or collective redress claims against companies that violate EU law, including the GDPR, as long as certain criteria are met. The Directive must be implemented into national law by the member states no later than 25 June 2023. The CJEU judgment and the introduction of the Representative Action Directive, combined with the rising number of claims by individuals and consumer groups, as well as the increase in authority resources and the tendency to impose higher fines (see e.g. fines against WhatsApp and Amazon), should remind your company to ensure compliance with the requirements of the GDPR and to regularly review your compliance. The CJEU judgment alone unblocks more than twenty cases related to the GDPR brought by the European Consumer Association and its members according to their own information.

Contact us!

Secure the knowledge of our experts!

Subscribe to our free newsletter: