In case Meta Platforms Ireland of 28 April 2022, the Court of Justice of the European Union (the Court, hereafter) was called upon to rule whether a consumer protection association may bring judicial proceedings against the person allegedly responsible for infringement of the rights conferred by the General Data Protection Regulation (GDPR, hereafter) on data subjects in the absence of a mandate granted to the association for such purpose and independently of any infringement of specific rights. In casu, the Federal Union of Consumer Organisations and Associations of Germany (Federal Union, hereafter) argued that Meta Platforms Ireland (formerly Facebook Ireland) would have breached rules on the protection of personal data, unfair commercial practices and consumer protection.
Pursuant to Chapter VIII of the GDPR, protection of the rights of data subjects against a supervisory authority, controller or processor may be sought directly by the data subject (Articles 77, 78 and 79 of the GDPR) or by a non-for-profit association constituted in accordance with the law of a Member State, which has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects' rights and freedoms with regard to the protection of their personal data on behalf of the data subject (Article 80 of the GDPR). The association shall act mandated by the data subject to that end (Article 80(1) of the GDPR) or, where the possibility is provided for under national law, the association may act independently of any mandate if it considers that the rights of data subjects under the GDPR have been infringed as a result of the processing of personal data (Article 80(2) GDPR).
Firstly, the Court noted that a consumer protection association such as Federal Union meets the personal conditions for bringing an action pursuant to Article 80(2) of the GDPR given that it pursues a public interest objective consisting of the safeguard of consumer rights. Pursuing the objective of consumer protection is likely, according to the Court, to be related to the protection of the personal data of those consumers. Secondly, the Court examined the material conditions in Article 80(2) of the GDPR that shall be met for the purposes of exercising such an action. The Court found that it suffices that the association concerned considers that the rights of a data subject, which covers not only an identified natural person but also an identifiable natural person, under the GDPR have been infringed as a result of the processing of his or her personal data and alleges the existence of data processing contrary to the GDPR. It is neither necessary to identify individually and beforehand the data subjects concerned nor to prove any actual harm suffered as a result of an alleged infringement of the GDPR provisions. The burden of proof would therefore lie with the non-compliant party. The Court found that such an interpretation would be consistent with the objective of ensuring a high level of protection of personal data pursued by the GDPR. Interestingly, the Court considered that, by not limiting the possibility for associations to bring claims against infringements that individually and specifically affect a data subject, the action provided for in Article 80(2) of the GDPR is likely to prevent a large number of infringements of the rights under the GDPR.
The above findings of the Court raise several concerns. On the one hand, it can be argued that, by exercising the action in Article 80(2) of the GDPR (interpreted by the Court as an action of preventive nature), moral persons such as consumer protection associations are likely to contribute to the enforcement of the GDPR. The latter finding appears at odds with Article 51 of the GDPR according to which public authorities of the Member States (the so-called ‘supervisory authority’ under the GDPR) shall be responsible for monitoring the application of the GDPR to protect the fundamental rights and freedoms of natural persons in relation to processing of personal data. Enforcement of the GDPR would thus be in the hands of both public and private actors, a design not meant to be by the drafters of the GDPR. On the other hand, one may wonder to what extent a non-for-profit association bringing proceedings pursuant to Article 80(2) of the GDPR would be acting for the protection of the rights of data subjects given that such proceedings may be instituted even in the absence of any real infringement of specific rights. In other words, the link between the intervention of the association and the protection of data subjects’ rights will arguably be diluted.
Maddalen MARTIN, Legal standing of consumer protection associations under the General Data Protection Regulation, actualité du CEJE n° 13/2022, 8 juin 2022, disponible sur www.ceje.ch