With its decision dated 28 April 2022, the European Court of Justice (ECJ) has confirmed that consumer protection associations have the right to sue if they intend to claim personal data breaches. This has so far only been possible for the data subjects themselves and will from now on also be possible irrespective of a specific damage event or instruction by the data subjects. This considerably increases the risk for companies with a strong public visibility and/or web presence.
This article summarises the consequences of this decision and answers some of the most important questions.
The subject matter of the decision was an action for a cease-and-desist order by the Federation of German Consumer Organisations (VZBV) against a large social media provider. The German Federal Supreme Court (BGH) had doubts regarding the admissibility of an action filed by the VZBV. The BGH was of the opinion that actions based on a breach of the EU General Data Protection Regulation (GDPR) by an association would only be possible in case of a specific breach of data subject rights.
With its decision, the ECJ confirmed the right for associations to bring an action. According to the ECJ, the objective is to defend the interests of the general public against relevant breaches of data protection law. Hence, the protection of the individual is in the foreground, as intended by the GDPR.
Up to now, it has been rare for individual consumers to report possible data protection breaches or initiate court proceedings. Following the ECJ's decisions, consumer associations can take over this unpleasant task for consumers. The consumers' effort required to pursue a personal data breach hence considerably decreases.
At the same time, it is expected that the consumer associations' entitlement to bring an action will lead to an increased number of court proceedings.
Companies are now in a position to – indirectly – pursue personal data breaches of a competitor. The locus standi of associations has led to the fact that the use of invalid general terms and conditions has since been increasingly admonished and may even be pursued in court.
In principle, this decision concerns all companies. However, it can be expected that associations in particular will now take a closer look at breaches of the GDPR by large global companies. Specifically, online shops and companies in business-to-consumer trade tend to attract the interest of consumer associations.
It is expected that, in particular, privacy notices and cookie banners, as well as consent forms (eg, for newsletters) – as publicly available documents – will be the focus of consumer associations.
It is recommended that companies quickly review all publicly available privacy notices.(1) Companies should consider the guidelines of the Data Protection Conference, since consumer protection associations will regard these as a "gold standard". Marketing informed consent forms should also be reviewed, in particular with respect to their comprehensibility and completeness.
It can so far only be speculated to what extent consumer associations will now pursue and enforce personal data breaches. However, it is to be expected that the number of court proceedings regarding non-compliance with the GDPR regulations will increase. Against this background, all companies are urgently recommended to review their data protection provisions with respect to compliance with the GDPR regulations. Only in this way can cost-intensive and lengthy court proceedings can be avoided. It should be widely known that such proceedings may also have negative effects on a company's reputation.
For further information on this topic please contact Nils Müller or Joos Hellert at Eversheds Sutherland by telephone (+49 89 54565 295) or email ([email protected] or [email protected]). The Eversheds Sutherland website can be accessed at www.eversheds-sutherland.com.
(1) Click here to view a first-aid checklist with practical examples in order to gain a first overview of frequent pitfalls and mistakes.