Lorna Woods, Professor of Internet Law, University of Essex

Facts

The Federation of German Consumer Organisations initiated legal proceedings in German courts against Facebook. They claimed that Facebook violated data protection rules by failing to provide sufficient information about data collection practices related to free, third-party games offered on its platform. The Federation argued that this also infringed upon unfair competition and consumer protection regulations. The case reached the Bundesgerischtshof, which raised concerns about the Federation’s legal standing to bring the action following the implementation of the GDPR. Consequently, the court referred questions regarding this matter to the Court of Justice of the European Union (CJEU).

The Advocate General framed the key question as to whether Article 80(2) of the GDPR prevents consumer protection associations from retaining the right, granted under national law, to pursue legal proceedings for injunctions against activities that simultaneously violate rights under GDPR and rules safeguarding consumer rights and combating unfair commercial practices. This question arose because, prior to the GDPR’s enactment, the Federation’s standing in such a case would have been unquestioned in Germany. The crux of the matter is whether the GDPR introduces an exhaustive framework for enforcing its provisions, potentially overriding national legislation that empowers consumer protection bodies to litigate against alleged violators of personal data protection based on alternative legal grounds.

Opinion

The Advocate General’s opinion highlighted that since the Federation wasn’t directly mandated by a data subject to initiate the action, Article 80(2) GDPR became the relevant provision. A similar question, concerning the Data Protection Directive, was previously addressed by the CJEU in the “Fashion ID” case. The court determined that Articles 22-24 of the Data Protection Directive do not prohibit national legislation that permits consumer protection organizations to file legal actions against entities suspected of violating personal data protection. The Directive neither mandated nor explicitly prohibited Member States from granting such standing. In fact, this possibility aligned with the Data Protection Directive’s objectives. The key question is whether the GDPR changes this precedent.

The Advocate General analyzed the characteristics of the GDPR, noting that its regulatory format suggests a greater emphasis on comprehensive harmonization compared to the minimum standards approach of the Data Protection Directive. However, the situation is more nuanced. The GDPR’s legal foundation, Article 16 TFEU, prevents the interpretation that the EU, by enacting the GDPR, preempted all potential implications of personal data protection on areas like employment, competition, or consumer law. This would strip Member States of their ability to establish specific rules in these areas. While data protection has broad implications, the harmonization doesn’t encompass all these areas. Furthermore, the level of harmonization within the GDPR itself isn’t uniform. Simply being a regulation doesn’t automatically eliminate all scope for Member State action.

Given this context, Article 80(2) uses the word “may,” indicating its optional nature. When interpreting its scope, the Advocate General argued that the entities listed there should not be confined solely to those exclusively focused on data protection. Instead, it should encompass all entities pursuing public interest objectives related to personal data protection. Additionally, other aspects of Article 80(2) should not be interpreted narrowly. For instance, the entity should not be required to demonstrate specific existing instances of individuals harmed by the processing in question.

Instead, an alleged infringement of provisions protecting individual rights suffices. The provision’s goal is to empower these bodies to request a review by a competent authority to ascertain if the GDPR’s rights-granting provisions are being upheld. The emphasis here is on safeguarding the collective interests of consumers. This viewpoint is reinforced by the approach adopted in Directive 2020/1828 on consumer injunctions, particularly recital 15. This aligns with the case at hand, where the Federation seeks an injunction against Facebook Ireland.

More broadly, the Advocate General argued that preventing Member States from implementing actions that protect both consumers and personal data would contradict the objective of ensuring a high level of personal data protection. Safeguarding collective consumer interests is particularly conducive to establishing robust data protection, and a restrictive interpretation of Article 80(2) would hinder the preventative function of actions undertaken by such bodies. Injunctions, like the one sought in this case, contribute to effectively upholding rights.

While data protection and consumer law have evolved separately, they intersect, as do competition laws. The same conduct can fall under all three domains. While consumers and data subjects are distinct, there is overlap. This results in complementarity and convergence between these legal areas, potentially enhancing protection.

In conclusion, Article 80(2) doesn’t preclude legislation allowing these entities to bring actions to enforce data protection rights.

Comment

The conclusion, particularly given the “Fashion ID” precedent, is not entirely unexpected, though the CJEU’s judgment is pending. Notably, the Advocate General emphasizes that despite being a regulation, the GDPR is not inflexible, especially when it comes to upholding high levels of data protection. The Advocate General implies that each clause requires contextual interpretation in light of GDPR’s objectives and the need to ensure robust protection. The impact of the regulation’s legal basis should not be overlooked. The reference to high levels of protection isn’t mere rhetoric; it’s a driving force in the Advocate General’s reasoning.

The acknowledgment of interplay between data protection, consumer law, and competition law is noteworthy. The Advocate General leverages this interconnectedness to bolster protection rather than treating these areas as isolated silos, which could potentially weaken safeguards. The Advocate General’s approach appears sound, recognizing that identical conduct can trigger rules in each area. This overlap highlights the need for collaboration between regulators across these domains. This approach is significant as it signifies support for efforts to address issues posed by dominant ICT companies built on user data through a variety of legal means. This is particularly crucial given the perceived shortcomings in effectively enforcing data protection regulations in some Member States.

Photo credit: Johnscotaus, via Wikimedia Commons