The European Court of Justice (ECJ) has strengthened consumer protection associations as watchdogs in data protection breaches. The Federation of German Consumer Organizations (vzbv) got the green light from Luxembourg to take action against Facebook parent company Meta in the event of data protection violations. They do not have to be instructed to do so by affected users.
What was at stake?
What large Internet corporations and social media platforms are allowed to do and what they are not allowed to do is repeatedly the subject of court decisions at the EU level. The vzbv had already complained in 2012, at that time still against Facebook Ireland, that the offering of free games from third-party providers in an app center of the platform violated data protection law and other regulations. The consumer advocates’ action for an injunction was successful in the first and second instances. In contrast, the Federal Court of Justice (BGH) had doubts about the admissibility of the action, as the legal situation had changed with the entry into force of the General Data Protection Regulation (GDPR) in 2018. In the event of such doubts, national courts must refer the case to the ECJ in Luxembourg, as only it may decide on the interpretation of EU law. The BGH, therefore, asked the ECJ whether data protection compliance was now a matter for the supervisory authorities.
What does the ECJ say?
With the latest decision of the ECJ (judgment of 28.04.22, C-319/20), it is clear: that consumer associations may sue if a data processing operation violates the rights of a person. Concrete damage to a specific person does not have to be shown, nor do consumer associations have to be instructed by a data subject to file a lawsuit. According to Luxembourg’s Richert, the aim of the GDPR is to “ensure a high level of protection of personal data.” The conditions for the vzbv’s right to sue had been met. It is in the public interest to “guarantee the rights of consumers.”
What are the consequences of this ruling for companies?
Consumer associations play a major role, particularly in Germany, when it comes to protecting consumer rights against large companies. The focus to date has been on compliance with the consumer protection laws introduced by the EU in the area of online commerce. This often involved the legality of general terms and conditions (GTC), rights of withdrawal, and information requirements. Now data protection law will also be added. In the future, companies will have to expect that their practices will also be reviewed by consumer protection associations from a data protection perspective and that grievances will be raised.
Consumer protection agencies are likely to focus in particular on publicly accessible data protection issues such as privacy notices, cookie banners, tracking and analysis of user behavior, e.g., by Google Analytics, and data subjects’ rights. Possible violations are openly apparent and can be easily detected. For example, the association NOYB (“None of Your Business”), founded around Max Schrems, uses automated tools to check websites for their data protection compliance. And NOYB does not shy away from reporting its findings to the supervisory authorities in hundreds of advertisements.
So who is Max Schrems?
Max Schrems has become famous because, as an Austrian law student, he has already twice brought down EU data protection agreements with the U.S. with his lawsuits against Facebook before the ECJ,
Do companies have more to fear?
The ruling deals exclusively with the question of whether associations can sue companies to stop a certain behavior. It did not deal with direct payments.
In the future, however, consumer associations will even be allowed to sue for damages. Germany has until 2023 to transpose the EU directive on collective actions into German law. At first glance, this is similar to the model declaratory action introduced by German lawmakers in response to the Volkswagen diesel lawsuits. However, the new possibilities go far beyond this. In particular, the EU class action is not limited to a declaratory action. Rather, claims for repair, replacement, price reduction, contract termination, or reimbursement of the price paid – and also damages – can also be asserted.
Are there already lawsuits for damages?
Yes, oh that. The Munich Regional Court has ordered a company to pay a visit to the company’s website EUR 100 in damages. Fonts from Google were integrated into the website. When a user visits the website, it establishes a connection to a Google server in the USA and transmits the user’s pseudonymous IP address. The defendant company had not obtained the user’s consent for this. For the claim for damages, it was sufficient for the court that the plaintiff felt discomfort that he claimed since he did not know what was happening with his IP address.
But 100 EUR is not much!?
That is true. But imagine the website of an online store or a bank. If 10,000 users claim damages of 100 EUR, it will be expensive. Resourceful start-ups from the field of LegalTech could come up with the idea of asserting such claims with the help of an app and in a largely automated way. Just think of the assertion of air passenger rights by companies like Flightright. And it could get even more expensive if such claims are asserted in bundles. Whether this is permissible, however, is still a matter of dispute.
What needs to be done?
It is, therefore, high time to eliminate deficits in dealing with the GDPR in order to avoid lawsuits, fines, and claims for damages. Companies should start with publicly available privacy statements and cookie notices, and they should have a process for information requests from customers and employees.