This update discusses the background and consequences from the judgment and asks whether the EU is now ushering in a new era of autonomous claims for data protection law breaches, which companies who collect and process personal data in the EU (“DCs”) will need to be aware of.
The case was centered around a claim brought by the Federation of German Consumer Organizations (“FGCO”) against Meta Platforms Ireland (“Meta”) that Meta was not providing a clear enough explanation of how personal data was being processed on its gaming platform ‘App Centre’.
The FGCO argued that individuals, when viewing certain games provided by third parties in the App Centre, were informed that the use of these games enabled the relevant gaming company to both obtain certain personal data and publish such data on behalf of that individual, including pictures and photos. In addition, individuals were informed that, by using the application, the individual accepted the general terms and conditions and data protection policy.
The FGCO argued that the use of personal data and the information provided was unfair and a breach of consumer rights, as well as a breach of data protection rights. An action was therefore brought in the German Federal Court of Justice (“GFCJ”) for an injunction against the use of the App Centre.
Notably the FGCO action was not based on any mandate from an individual who had used the App Centre and the FGCO brought the action independently of any specific claim by an individual that their consumer or data protection rights right were breached. On the basis they were not clear as to whether a case brought by the FGCO was admissible, the GFCJ referred the matter to the CJEU.
Article 80 of the GDPR national legislation may permit individual consumer groups or associations to bring representative actions for breaches of the GDPR when mandated by concerned individuals. In this case, though, no such mandate had been provided, and Meta argued that the GDPR precluded such options.
The CJEU, however, found that a claim was sufficient if the data processing concerned could affect the rights of identified or identifiable natural persons under the GDPR without actual harm suffered by the data subject. As a result, consumer groups can put forth representative actions for data protection violations regardless of whether they have been mandated or not by one or more specific individuals.
Consequentially, a consumer protection association that pursues a public interest objective that safeguards the rights and freedoms of data subjects in their capacity as consumers would have standing in accordance with Article 80(2) of the GDPR.
Impact of the Judgement
Ultimately, the judgement strengthens consumer groups’ ability to bring legal proceedings under Article 80 of the GDPR when pursuing a public interest objective or engaging in consumer protection.
Practically, consumer groups are far more likely to bring cases against DCs than concerned individuals, meaning that DCs are more likely to face further claims about the way in which they collect and use individuals’ personal data. And though not all national legislation in the EU allow consumer groups to bring suit under Article 80, this may not deter certain groups from forum shopping and only bringing lawsuits against DCs in the jurisdiction with the most favorable consumer protection laws.
Development of New Legislation
Relatedly, the significance of this judgement and the related forum shopping phenomenon might only be relevant for a short time. The new EU Representative Actions Directive will enable consumer groups that meet specific criteria to launch representative actions in all EU countries for violating certain EU laws, including the GDPR. This directive is due to be transposed into national law by member states before the end of 2022.
Ultimately the CJEU judgement in the Meta case forms part of a more concerted drive within the EU to recognize that, in a digitalized economy where personal data affects individuals in their capacity as consumers laws intended to protect personal data will often go hand in hand with those designed to protect of consumer rights. As a result, consumer rights groups will become increasingly empowered to enforce the protection of personal data.
Baker Botts is currently advising clients on a multitude of issues relating to the GDPR and will be releasing further information and updates on the impact of both the CJEU’s judgment and the new EU Representative Actions Directive. Please contact us if you have further questions.
In addition, Baker Botts has a pre-eminent data protection and technology practice. Please let us know if you have any questions or if you would like to know more about how we can help you to approach complying with the GDPR, or with other data laws in any other jurisdictions.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.