Lorna Woods, Professor of Internet Law, University of Essex
The Bundesverband der
Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale
Bundesverband e.V. (Federation of German Consumer Organisations) sought to
bring an action before the German courts arguing that Facebook, in the context
of making free, third party games available on its platform, contravened data
protection rules by not giving adequate information about the data collected
and this also constituted a violation of rules on unfair competition and on
consumer protection. It brought this action before the Bundesgerischtshof,
which court had
doubts as to whether the federation had standing given the entry into force
of the GDPR. It referred questions
on this issue to the CJEU.
As the Advocate General phrased
the question, the issue was whether Article
consumer protection associations from retaining, following the entry into force
of that regulation, the standing to bring proceedings that national law confers
on them in order to obtain injunctions against conduct that constitutes both an
infringement of the rights conferred by that regulation and an infringement of
the rules designed to protect consumer rights and to combat unfair commercial
practices [para 4]
In Germany, the standing of the
federation would not have been in doubt prior to the introduction of the GDPR;
the question is whether it has been altered by the GDPR and, specifically,
whether the GDPR exhaustively provides for the mechanisms by which its
provisions are enforced so that it precludes national legislation which allows
consumer protection bodies to bring actions against those allegedly responsible
for an infringement of personal data, relying on other causes of action.
General’s opinion commenced by noting that, since the Federation had not
been mandated by a data subject to bring the action, the relevant provision was
Article 80(2) GDPR. The Court has considered a similar question in relation to
the data Protection Directive in Fashion
ID. It found that Articles 22-24 of the Data
Protection Directive “must be interpreted as not precluding national
legislation which allows consumer-protection associations to bring … legal
proceedings against a person allegedly responsible for an infringement of the
protection of personal data” [para 63 Fashion
ID, cited para 44]. The Directive neither required Member States to give
such organisations standing to bring a data protection action, but nor did it
expressly preclude it. Indeed, the provision of such a possibility contributed
to the objectives of the Data Protection Directive. So, the question is – has anything changed?
The Advocate General considered
the characteristics of the GDPR. The fact that it is in the form of a
regulation (by contrast to the previous directive) suggests a tendency towards
full harmonisation rather than the minimum standards found in the Data
Protection Directive. However, as the Advocate General pointed out, “[t]he
truth is more complex” [para 51]. He pointed to the legal base for the GDPR: Art 16 TFEU which
the view that in adopting [the GDPR] the European Union would have pre-empted
all the ramifications which the protection of personal data may have in other
areas relating, in particular, to employment law, competition law or even
consumer law, by depriving Member States of the possibility of adopting
specific rules in those areas ….” [para 51]
Data protection has a
cross-sectoral impact but the harmonisation does not cover all of these areas.
Moreover, the intensity of the harmonisation is not uniform across the GDPR.
The use of a regulation does not necessarily mean that Member States have no
scope for action [para 53].
Against this background we seen
that Article 80(2) is “optional” – it uses the word ‘may’ [para 54].
Interpreting the scope of Article 80(2) the Advocate General considered that
the entities listed there could not be limited
to those entities whose sole and exclusive object is data protection,
but “extends to all entities which pursue an objective in the public interest
that is connected with the protection of personal data” [para 61]. He also
argued that other aspects of Article 80(2) should not be interpreted
restrictively, so that the entity should not be required to show specific
existing cases of persons affected by the processing.
Rather, all that is required is
an allegation of an infringement of the provisions designed to protect individual
rights. The objective of the provision is to give the bodies the ability to
have a competent body check whether the rights-granting provisions of the GDPR
are being complied with; the emphasis is on the protection of the collective
interests of consumers. This viewpoint is supported also by the approach in Directive
2020/1828 on consumer injunctions (see especially recital 15). This is the
position in this case, in which the federation seeks an injunction against
Facebook Ireland [para 70].
More generally, he argued that
be contrary to the objective of ensuring a high level of protection of personal
data if the Member States were precluded from putting in place actions which,
while pursuing an objective of protecting consumers, also help to achieve the
objective of protecting personal data” [para 75].
The defence of collective
interests of consumers is, in the view of the Advocate general, particularly
suited to the establishment of a high level of data protection and a narrow
interpretation of Article 80(2) would interfere with the preventative function
of actions brought by such bodies. An injunction, as in issue here, contributes
to the effective protection of rights.
While the laws pertaining to data
protection and consumer law have developed separately, there are interactions
between the two areas; a similar point can be made in relation also to
competition law: the same conduct can simultaneously be covered by all three
regimes. While consumers are different from data subjects, these also overlap.
This leads to ‘complementarity and convergence’ between these different areas
of law and these may mutually strengthen protection.
In sum, Article 80(2) did not
preclude legislation that allowed these entities to bring an action in the
interest of enforcement of data protection rights.
The end point in this, especially
given Fashion ID, is not so surprising, though we will – of course – need to
wait for the Court’s judgment on this. It is noticeable that the Advocate
General goes to some lengths to emphasise that although the GDPR is a
regulation, it is not closed, and especially not where the higher levels of
protection for data are concerned. The
implication of the Advocate General’s reasoning is of course that each clause
will need to be considered on its own terms, but always in the light of the
objectives of the GDPR and the need to ensure a high level of protection. Here,
the impact of the regulation’s legal base should be noted; the reference to
high levels of protection is not just verbiage but has been used as a
motivating force in the reasoning of the Advocate General.
Another point of interest is the
recognition of the interplay between the different types of law: data
protection, consumer and even competition law. The Advocate General has used
this interplay to strengthen protection, rather than assigning types of law to
silos, and potentially thereby undermining protection. The approach of the
Advocate General seems right – as he notes, the same conduct may fall within
each of these rules. There is overlap, but it raises the question more broadly
of the need for cooperation between at least the regulators in each of the
fields. This approach is also noteworthy
as it illustrates support for attempts to deal – using a range of different
legal mechanisms -with problems relating to the super-dominant ICT business
built on user data. This is particularly significant given the perceived
weakness in effective data protection regulation in some Member States.
Photo credit: Johnscotaus,
via Wikimedia Commons