Such an action can be brought in the absence of a mandate by data subjects to that effect
The Court of Justice of the European Union has ruled in the case of Case C-319/20 Meta Platforms Ireland.
Meta Platforms Ireland, formerly Facebook Ireland Limited, is the controller of the personal data of users of the online social network Facebook in the EU.
A German consumer protection association sought an injunction against Meta Platforms Ireland, alleging that it had infringed, in the context of making available to users free games provided by third parties, rules about the protection of personal data, unfair commercial practices and consumer protection.
The German referring court had doubts about the action’s admissibility. It asked the CJEU if, following the entry into force of the GDPR, a consumer protection association still has standing to bring proceedings in the civil courts against infringements of the GDPR, independently of the specific infringement of rights of individual data subjects and without being mandated to do so by those data subjects. It also took the view that it was for the supervisory authorities to regulate the GDPR.
The CJEU has ruled that the GDPR does not preclude national legislation which allows a consumer protection association to bring legal proceedings where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from the GDPR.
It noted that the GDPR harmonises, in principle fully, national legislation on the protection of personal data. However, certain provisions of the GDPR provide member states with a certain level of discretion about how those provisions may be implemented, as long as the national rules adopted do not undermine the content and objectives of the GDPR. In that regard, the member states also have the option to provide for a representative action mechanism against the person allegedly responsible for an infringement of the laws protecting personal data, while setting out a number of requirements which must be complied with.
The Court said that a consumer protection association falls within the scope of the concept of a “body that has standing to bring proceedings” under the GDPR because it pursues a public interest objective safeguarding the rights of consumers. The infringement of the rules on consumer protection and unfair commercial practices may be related to the infringement of the GDPR.
The Court also said that the bringing of a representative action presupposes that such an association, independently of any mandate conferred on it, ‘considers’ that the rights of a data subject in the GDPR have been infringed as a result of the processing of their personal data, without it being necessary to identify, individually and beforehand, the person specifically concerned by that processing and to allege the existence of a specific infringement of the rights deriving from the data protection rules. Such an interpretation is consistent with the GDPR’s objective to ensure a high level of protection of personal data.
Finally, according to the Court, the GDPR does not preclude national provisions which provide for the bringing of representative actions against infringements of the rights conferred by the GDPR through, as the case may be, rules intended to protect consumers or combat unfair commercial practices.