On April 28, 2022, the Court of Justice of the European Union (CJEU) held that a consumer protection association had standing to bring claims on behalf of consumers whose personal data was used in a manner that infringes on provisions of the GDPR. The key issue put to the CJEU was whether national legislation permitting a consumer protection association to bring proceedings in the civil courts against infringements of GDPR had standing: (1) independent of the specific infringements of the rights of the individual data subjects; and (2) without a specific mandate by those data subjects to bring the proceedings.
This client alert focusses on the background of the ruling, its impact, and how this relates to similar representative action being brought for infringement of GDPR across the EU and the UK recently. It also set outs proposed legislative changes to class actions that are set to be imposed at an EU-wide level.
A consumers rights group, the Federal Union of Consumer Organisations and Associations (Federal Union), applied for an injunction against Meta Platforms Ireland (the parent company for Facebook users outside of the US) for infringement of rules concerning certain users’ personal data.
The application for injunctive relief by the Federal Union reached Germany’s highest Court, the Federal Court of Justice, which then referred the matter to the CJEU. The Federal Court had doubts over the admissibility of a consumer group bringing a claim on behalf of the group of users. These concerns stemmed from whether German national legislation that permitted consumer protection associations to bring these types of claims was compatible with the provisions of the GDPR.
The CJEU ruled that the GDPR does not preclude national legislation that allows a consumer protection association to bring legal proceedings provided: (1) the data processing activities concerned are liable to affect the rights that identified or identifiable persons derive from the GDPR; and (2) the consumer association concerned is pursuing a public interest objective.
The Court also confirmed that the Federal Union can bring the claim independently of the infringement of the specific rights of the data subjects and without a specific mandate by those data subjects. In other words, an action can be brought on behalf of a class of consumers subject to an infringement even if those consumers have not specifically directed it to bring a claim on their behalf.
This judgment confirms that EU consumers may benefit from broader protection offered to them by allowing consumer rights associations to bring claims on their behalf without requiring a specific mandate.
The judgment is one of a number of representative actions brought recently before other European national courts which concern infringements of the GDPR. The UK and EU Member States have varying legislation concerning class actions. Recent examples (although none are cases brought by consumer rights associations) include:
- In the English civil courts, a representative action is being brought by a child under the age of 16 for herself and on behalf of a class of children who use or have used the social media platform TikTok from May 25, 2018, and are resident in the UK or the European Economic Area. The litigation attorney for the child is the former Children’s Commissioner for England. It is alleged that TikTok infringed the requirements of the GDPR in processing the children’s personal data, and that it misused their private information. Permission to serve the claim outside the jurisdiction against TikTok was allowed, but following the Supreme Court Judgment in Lloyd v Google, it remains to be seen whether TikTok will succeed in its summary judgment/strike out of the claim.
- In Malta, a company called C-Planet Solutions was fined €65,000 in January 2022 by the national supervisory authority for a data breach which leaked online the personal data of around 337,000 Maltese voters. Details included names, addresses, ID card details, phone numbers and the voting intentions of around two-thirds of the population. The breach was worsened by the fact that voting intention data comes under a ''special category'' of sensitivity for the purposes of the GDPR. A collective action is being brought by 620 claimants in relation to this breach with proceedings remaining ongoing.
There is a patchwork of potential root cause for litigation that organizations operating in both the UK and the EU should be aware of. Preparation is needed to ensure that robust measures are in place should such an action be brought.
The Collective Redress Directive – Even More Litigation?
EU Member States are in the process of implementing into domestic laws the Collective Redress Directive by December 25, 2022. The Directive was introduced because it was recognized that actions for collective redress, or ''class actions,'' vary considerably amongst Member States, with certain states lacking specific class action procedures.
Under the Directive, ''qualified entities'' include consumer protection associations (such as the Federal Union), which will be able to bring representative claims on behalf of consumers against “traders” for violations of a list of EU laws that includes the GDPR.
''Traders'' has a broad definition which will include individuals, companies and other corporate entities. The qualified entity will be able to obtain both injunctive relief and other forms of redress such as compensation on behalf of consumers subject to data protection violations.
In terms of compensation, Article 82 of the GDPR makes any controller or processor which infringes the regulation liable to payment of compensation, whether the damage suffered is material or non-material.
The Directive, in combination with the Judgment and redress provisions of Article 82, are therefore likely to bring increased levels of litigation from consumer groups. This will require companies to focus even more on accountability and responsible uses of personal data, as they could otherwise be caught in litigation conundrum.