Consumer protection associations may bring representative actions against infringements of the GDPR

February 7, 2021

Advocate General Richard de la Tour has delivered an opinion in Case C-319/20 Facebook Ireland. The case arose in the context of a dispute in Germany.  The Federation of German consumer organisations said that Facebook Ireland, when making available in the App Centre of the platform free games supplied by third parties, infringed rules about the protection of personal data, combatting unfair competition and consumer protection. It sought an injunction from German courts against Facebook Ireland.

The German courts ruled that Facebook Ireland had not provided to users (in a concise, transparent, intelligible and easily accessible form, using clear and plain language) the necessary information relating to the purposes of the processing of the data and the recipient of the personal data. Therefore, Facebook Ireland had infringed the GDPR.

However, the German Bundesgerichtshof had doubts about whether the action was admissible. It questioned if a consumer protection association had standing to bring proceedings independently of an actual infringement of the rights of individual data subjects and without being mandated by them.  Among other things, it said that it might be inferred from the fact that the GDPR confers on the supervisory authorities extended supervisory and investigative powers and the power to adopt corrective measures that it is primarily for those authorities to oversee the application of the provisions of that regulation.  Therefore, it asked the Court of Justice to make a ruling. 


Advocate General Jean Richard de la Tour has proposed that the Court interpret the GDPR in such a way that it does not prevent consumer protection associations to bring legal proceedings against the person alleged to be responsible for an infringement of the protection of personal data, on the basis of the prohibition of unfair commercial practices, the infringement of a law relating to consumer protection or the prohibition of the use of invalid general terms and conditions, as long as the objective of the representative action in question is to ensure observance of the rights which the persons affected by the contested processing derive directly from that regulation.

The Court of Justice had ruled on a similar question in relation to the Data Protection Directive 95/46, saying that the Directive did not prevent consumer protection associations to bring legal proceedings against a person allegedly responsible for an infringement of the protection of personal data. 

The Advocate General said that there was nothing to call that ruling into question and in his view, the member states may still provide for certain entities to bring (without a mandate from the data subjects and without there being a need to claim the existence of actual cases affecting named individuals) representative actions designed to protect the collective interests of consumers, as long as an infringement of the GDPR which is intended to confer subjective rights on data subjects is alleged. This applied to the action in this case.

The Advocate General also considered that the GDPR does not preclude national provisions which authorise a consumer protection association to bring an action for an injunction to ensure compliance with the rights conferred by the GDPR by means of rules designed to protect consumers or to combat unfair commercial practices. 

Such rules may contain provisions similar to those in the GDPR, especially regarding providing information to data subjects about the processing of their personal data. Consequently, the infringement of a rule relating to the protection of personal data may at the same time entail the infringement of rules relating to consumer protection or unfair commercial practices. 

The Advocate General also said that the defence of the collective interests of consumers by associations is particularly suited to the objective of the GDPR of establishing a high level of personal data protection.