Lorna Woods, Professor of Internet Law, University of Essex
The Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (Federation of German Consumer Organisations) sought to bring an action before the German courts arguing that Facebook, in the context of making free, third party games available on its platform, contravened data protection rules by not giving adequate information about the data collected and this also constituted a violation of rules on unfair competition and on consumer protection. It brought this action before the Bundesgerischtshof, which court had doubts as to whether the federation had standing given the entry into force of the GDPR. It referred questions on this issue to the CJEU.
As the Advocate General phrased the question, the issue was whether Article 80(2) GDPR
precludes consumer protection associations from retaining, following the entry into force of that regulation, the standing to bring proceedings that national law confers on them in order to obtain injunctions against conduct that constitutes both an infringement of the rights conferred by that regulation and an infringement of the rules designed to protect consumer rights and to combat unfair commercial practices [para 4]
In Germany, the standing of the federation would not have been in doubt prior to the introduction of the GDPR; the question is whether it has been altered by the GDPR and, specifically, whether the GDPR exhaustively provides for the mechanisms by which its provisions are enforced so that it precludes national legislation which allows consumer protection bodies to bring actions against those allegedly responsible for an infringement of personal data, relying on other causes of action.
The Advocate General’s opinion commenced by noting that, since the Federation had not been mandated by a data subject to bring the action, the relevant provision was Article 80(2) GDPR. The Court has considered a similar question in relation to the data Protection Directive in Fashion ID. It found that Articles 22-24 of the Data Protection Directive “must be interpreted as not precluding national legislation which allows consumer-protection associations to bring … legal proceedings against a person allegedly responsible for an infringement of the protection of personal data” [para 63 Fashion ID, cited para 44]. The Directive neither required Member States to give such organisations standing to bring a data protection action, but nor did it expressly preclude it. Indeed, the provision of such a possibility contributed to the objectives of the Data Protection Directive. So, the question is – has anything changed?
The Advocate General considered the characteristics of the GDPR. The fact that it is in the form of a regulation (by contrast to the previous directive) suggests a tendency towards full harmonisation rather than the minimum standards found in the Data Protection Directive. However, as the Advocate General pointed out, “[t]he truth is more complex” [para 51]. He pointed to the legal base for the GDPR: Art 16 TFEU which
“precludes the view that in adopting [the GDPR] the European Union would have pre-empted all the ramifications which the protection of personal data may have in other areas relating, in particular, to employment law, competition law or even consumer law, by depriving Member States of the possibility of adopting specific rules in those areas ….” [para 51]
Data protection has a cross-sectoral impact but the harmonisation does not cover all of these areas. Moreover, the intensity of the harmonisation is not uniform across the GDPR. The use of a regulation does not necessarily mean that Member States have no scope for action [para 53].
Against this background we seen that Article 80(2) is “optional” – it uses the word ‘may’ [para 54]. Interpreting the scope of Article 80(2) the Advocate General considered that the entities listed there could not be limited to those entities whose sole and exclusive object is data protection, but “extends to all entities which pursue an objective in the public interest that is connected with the protection of personal data” [para 61]. He also argued that other aspects of Article 80(2) should not be interpreted restrictively, so that the entity should not be required to show specific existing cases of persons affected by the processing.
Rather, all that is required is an allegation of an infringement of the provisions designed to protect individual rights. The objective of the provision is to give the bodies the ability to have a competent body check whether the rights-granting provisions of the GDPR are being complied with; the emphasis is on the protection of the collective interests of consumers. This viewpoint is supported also by the approach in Directive 2020/1828 on consumer injunctions (see especially recital 15). This is the position in this case, in which the federation seeks an injunction against Facebook Ireland [para 70].
More generally, he argued that
“[i]t would be contrary to the objective of ensuring a high level of protection of personal data if the Member States were precluded from putting in place actions which, while pursuing an objective of protecting consumers, also help to achieve the objective of protecting personal data” [para 75].
The defence of collective interests of consumers is, in the view of the Advocate general, particularly suited to the establishment of a high level of data protection and a narrow interpretation of Article 80(2) would interfere with the preventative function of actions brought by such bodies. An injunction, as in issue here, contributes to the effective protection of rights.
While the laws pertaining to data protection and consumer law have developed separately, there are interactions between the two areas; a similar point can be made in relation also to competition law: the same conduct can simultaneously be covered by all three regimes. While consumers are different from data subjects, these also overlap. This leads to ‘complementarity and convergence’ between these different areas of law and these may mutually strengthen protection.
In sum, Article 80(2) did not preclude legislation that allowed these entities to bring an action in the interest of enforcement of data protection rights.
The end point in this, especially given Fashion ID, is not so surprising, though we will – of course – need to wait for the Court’s judgment on this. It is noticeable that the Advocate General goes to some lengths to emphasise that although the GDPR is a regulation, it is not closed, and especially not where the higher levels of protection for data are concerned. The implication of the Advocate General’s reasoning is of course that each clause will need to be considered on its own terms, but always in the light of the objectives of the GDPR and the need to ensure a high level of protection. Here, the impact of the regulation’s legal base should be noted; the reference to high levels of protection is not just verbiage but has been used as a motivating force in the reasoning of the Advocate General.
Another point of interest is the recognition of the interplay between the different types of law: data protection, consumer and even competition law. The Advocate General has used this interplay to strengthen protection, rather than assigning types of law to silos, and potentially thereby undermining protection. The approach of the Advocate General seems right – as he notes, the same conduct may fall within each of these rules. There is overlap, but it raises the question more broadly of the need for cooperation between at least the regulators in each of the fields. This approach is also noteworthy as it illustrates support for attempts to deal – using a range of different legal mechanisms -with problems relating to the super-dominant ICT business built on user data. This is particularly significant given the perceived weakness in effective data protection regulation in some Member States.
Photo credit: Johnscotaus, via Wikimedia Commons