Can consumer protection groups claim for GDPR infringements?

Germany

Since the General Data Protection Regulation (“GDPR”) came into force, there has been controversy in Germany as to whether third parties not directly affected by data processing, can claim if the GDPR requirements are not complied with. Third parties which may be interested in bringing complaints might include competitors and consumer protection associations. If these are also able to issue warnings about any violations of data protection law, companies processing data will be exposed to a significantly higher risk.

The controversy is between those who argue, from case law and literature, that the GDPR enforcement system is exhaustive and excludes the possibility of third parties issuing warnings based on competition law rights. There is, however, another school of thought which believes the GDPR allows room for this additional, national enforcement mechanism.

Recently the Federal Court of Justice (BGH) referred a case (Case I ZR 186/17) to the Court of Justice of the European Union (ECJ) for a preliminary ruling on the rights of consumer groups to issue GDPR compliance warnings.

What is the case about?

The case deals with games made available for free on Facebook which are accessed in the App Center by clicking a button. Immediately below the button, users are informed that by clicking they will provide the application with, amongst other things, general user information including email address and status messages. In addition, the application may post messages on behalf of the Facebook user, including the game score.

One large consumer group is alleging that Facebook users do not give effective consent to the processing of their personal data merely by clicking on the button and that Facebook is, therefore, engaging in an anti-competitive practice. The group is requiring Facebook to cease and desist this practice. The BGH will decide whether, as a third party, the consumer group is entitled to issue enforcement notices in respect of alleged GDPR violations.

The process in the appeal stages

The Berlin Regional Court originally ruled in favour of the consumer group and at first instance ordered Facebook to cease and desist the practice. Facebook appealed to the Berlin Higher Regional Court but were unsuccessful. They have now appealed to the Federal Court of Justice to have the first instance decision overturned and the consumer group's application dismissed.

The Federal Court of Justice (BGH) initially suspended its decision while awaiting a decision from the ECJ in another case: this case was a referral by the Düsseldorf Higher Regional Court to the ECJ on an almost identical question arising under the Data Protection Directive, the predecessor to the GDPR. The dispute in the Düsseldorf case arose between a German fashion company and another German consumer group. The fashion company used the Facebook “Like” button on its website and the group believed this to be unlawful without the explicit consent of the user. The ECJ in its ruling of 29 July 2019 (Case C-40/17) decided that the remedies provided under the Data Protection Directive were not exhaustive and so the directive did not generally prevent enforcement by consumer protection associations using the competition law regime.

Since this decision of the ECJ was issued with respect to the Data Protection Directive and not the GDPR, the Federal Court of Justice has had to refer the question again to the ECJ asking for a specific interpretation of the GDPR.

Why the ECJ may decide in favour of consumer protection associations

In its decision on the “Like” button case, the ECJ made interpretative rulings in relation to the Data Protection Directive which may be transferable to the GDPR. These rulings seem to make a decision in favour of the consumer protection authorities more likely.

The ECJ, for example, emphasised that the Data Protection Directive aims to ensure “effective and complete protection of the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data”. This statement is similar to recital 2 of the GDPR that “the principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, […] respect their fundamental rights and freedoms, in particular their right to the protection of personal data.”.

The ECJ also held that giving consumer groups standing to bring claims contributes to the achievement of the objectives of the Data Protection Directive. This principle can also be applied to the GDPR.

The Data Protection Directive stipulates that the Member States must adopt “suitable measures” to ensure the full application of the provisions of the Data Protection Directive. The Directive does not, however, define what these measures should be. Article 84 of the GDPR is similar. It states: “Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented.”.

How other German courts have recently decided

Most recently, the Stuttgart Higher Regional Court has also held that the GDPR does not contain any exhaustive provision on enforcement in the event of GDPR infringements. Competition associations are, therefore, authorised to claim in respect of GDPR violations as these are market conduct regulations (Case No. 2 U 257/19).

What this means for companies

Companies should anticipate that the ECJ will classify the provisions of the GDPR as being non-exhaustive with regard to enforcement. This may lead to the Federal Court of Justice confirming that consumer groups have standing to bring complaints about GDPR violations. Companies should, therefore, prepare for this outcome. Public relations and marketing materials should be checked for compliance with data protection regulations. Website designs in particular should be reviewed, including their data protection features, cookie banners and the design and content of newsletter consents as well as social media presence.