On 28 May 2020, the German Federal Court of Justice (BGH) asked the Court of Justice of the European Union (CJEU) for a preliminary ruling on whether consumer protection associations and competitors are entitled to bring actions for injunctions in their own name against controllers under the EU general data protection regulation (GDPR) if member state law provides for such rights.
Once we have it, the ruling will be very important for all companies doing business in the EU, as they may have to defend themselves against injunctions from consumer protection associations and competitors if they allegedly breach provisions of the GDPR that qualify as market conduct rules. This is in addition to GDPR proceedings initiated by data privacy authorities or data subjects.
The current proceeding before the BGH
In the case at hand, the Verbraucherzentrale Bundesverband (vzvb), an umbrella body for Germany's consumer rights groups, filed a lawsuit against a social network provider for an alleged breach of the requirements for obtaining valid consent under the GDPR on its platform, in particular in connection with video games offered by third parties.
According to a recent CJEU decision, before the GDPR entered into force, organisations such as the vzvb were entitled to pursue (potential) data privacy violations and bring them before the courts.
Whether organisations such as the vzvb can bring such actions against controllers under the GDPR centres on the wording of Article 80 GDPR, which allows organisations to:
- represent data subjects in proceedings against controllers for a violation of their statutory data protection rights; and
- independently lodge complaints to the competent supervisory authorities.
However, the GDPR is silent on the question whether they may enforce GDPR violations in their own name in court when the rights of a specific data subject have been violated.
Recent case law differs in the interpretation whether Article 80 GDPR has to be understood as an exhaustive list of an organisation’s rights under the GDPR or whether member states may effectively introduce further competences for them.
This also applies to the question of whether competitors may have such rights under member state law, which would only be the case if the provisions of the GDPR would qualify as market conduct rules that are meant to prevent distortion of competition.
Under the GDPR’s predecessor, the European Data Protection Directive, the CJEU took the view that consumer protection associations, as well as competitors, were entitled to bring actions against non-compliant controllers.
However, considering that the GDPR is not just an update of the directive but a completely new act, the BGH decided that this question could not be answered by simple reference to the former legal framework.
The crucial difference between the Directive and the GDPR is that the former empowered member states to adopt 'suitable measures' for ensuring the full implementation of its provisions while the GDPR aims to harmonise the law across the EU.
Potential consequences for business in the EU
If organisations such as consumer protections associations could take actions against companies for data protection violations under the GDPR, controllers in all member states would be adversely affected, since such organisations, unlike data subjects, would be entitled to bring civil claims against companies even before any material or non-material damage has been caused.
However, since the GDPR does not contain any explicit provisions on this matter, the exact scope of such a right of action for public interest organisations would be determined by member state law. For example, in Germany the right is limited to data privacy violations by companies that have processed consumer data for commercial purposes.
Additionally, the CJEU could confirm that member states may introduce effective national laws that allow companies to tackle their competitors.
Therefore, in terms of the GDPR, besides data privacy authorities and data subjects, there would be two additional groups of potential claimants on the horizon.
If the CJEU strengthens the position of public interest organisations under the GDPR, it is likely that the number of filings before courts based on potential data protection breaches would further increase, particularly as data subjects generally do not sue because of minor infringements and the capacities of data protection authorities in many member states are still very limited.
Apart from the question of the potential right of public interest organisations to file for injunctive relief in data protection cases, it remains unclear whether such organisations may bring class actions on behalf of consumers in order to have data protection violations confirmed in court. If this was the case, consumers could be encouraged to claim damages for minor infringements as well.
It's probably only a matter of time until the CJEU will be asked to rule on this highly contentious matter. Answers from the CJEU in response to the BGH’s questions are expected in the course of next year.