Standing of Non-Profit Associations or Consumer Associations to File Collective Actions without a Data-Subjects Mandate: Case C-319/20 Meta Platforms
On 28 April 2022, the Court of Justice gave a revolutionary judgment for non-profit associations or consumer associations by allowing standing to such associations to bring GDPR claims in the collective interest of individuals, irrespective of an actual infringement of the data subjects’ rights without being mandated by them.
Facts of the case
Meta Platforms Ireland supplies services from the social network Facebook in Germany. On a space called “App-Zentrum” (Applications Space) on Facebook, free games from third parties are available. When accessing these games, the user sees a notice that the use of the application allows the gaming company to obtain certain personal data and authorises it to publish, on behalf of the user, his/her scores. This use means that the user accepts the general conditions of the application and its data protection policy without having adequate information about the data collected.
The Federal Association of Consumer Centres and Consumer Associations Germany, a body with standing to act under German law (Article 4 of the Law on Injunctions), considered that these games breached legal requirements of obtaining valid user consent. It successfully filed for an injunction before the Berlin Regional Court on behalf of the data subjects whose rights had allegedly been violated. Meta Platforms appealed this decision first before the Higher Regional Court, Berlin, and then again before the Federal Court of Justice, Germany, which referred a preliminary question to the Court of Justice of the European Union.
The main issue in the case
The German referring court asked whether Article 80(2) GDPR precludes national legislation, which allows a consumer association to take legal action without a mandate conferred on it for this purpose and independently of the violation of concrete rights of a data subject. If GDPR precluded the national law, then the federation would not have had standing in the present case to initiate an action against Meta. It was essentially upon the CJEU to determine whether the standing already available to a federation in Germany prior to the introduction of the GDPR had been altered by the GDPR. The key here is that the federation had not been mandated by a data subject or alleged a specific infringement of a data subject.
The question arose mainly due to the nature of the GDPR. It is a regulation and thus has an immediate effect in the Member States, but this does not mean that Member States enjoy no margin of discretion, as this judgment has confirmed. Article 80(2) GDPR must not be interpreted restrictively; thereby, the federation must not be required to carry out a prior individual identification of the person specifically concerned by data processing that is allegedly contrary to the provisions of the GDPR. It is because the material scope of that mechanism, the exercise of the representative action provided for in Article 80(2) GDPR by an entity meeting the standing requirements in paragraph 1 of that Article presupposes that the entity concerned ‘considers’ that the rights of a data subject laid down in the GDPR have been infringed as a result of the processing of his or her personal data. Therefore, it is sufficient that the entity considers that there is an existence of data processing that is contrary to the provisions of the GDPR (see paras 59 and 67-68 of the judgment).
Standing of the Federal Association under Article 80 GDPR
Article 80 GDPR provides a collective action mechanism whereby non-profit bodies dedicated to personal data protection can initiate claims on behalf of data subjects whose rights have been infringed. The only requisites for the standing of an association under Article 80(1) are that the association is a “not-for-profit body, organisation or association, which has been validly constituted in accordance with the law of a Member State, whose statutory objectives are in the public interest and which is active in the field of data protection”. Such an association has standing if it “considers that the rights of a data subject provided for in this regulation have been violated by the processing” of their personal data (Article 80(2)). The GDPR does not explicitly define the term ‘data subject’ but refers to “an identified or identifiable natural person” as a data subject (Article 4(1)) (see para 63 of the Opinion of the Advocate General). An identifiable natural person is the one who can be identified by using an identifier such as location data, online identifier, etc. Therefore, the designation of a category or a group of persons affected by such processing may also be sufficient to bring such a representative action (paras 68 and 69 of the judgment).
Article 80(2) GDPR – An open clause
Article 80(2) GDPR allows representative entities to start proceedings to exercise rights under Articles 77 to 79, where a data subject the right to file an action against a supervisory authority and the right to an effective judicial remedy against a supervisory authority or a controller or processor, without any mandate of the data subject, where the law of Member States provides it. In that sense, Article 80(2) is broad enough to permit national legislators to establish opt-out-based representative actions. Since the federal association does not rely on the data subject’s mandate, the confusion that arises while interpreting this provision is due to the word ‘may’ in Article 80(2). Despite being a regulation, it leaves the Member States free to legislate, provided that they do not undermine the content and the objectives of the GDPR. Therefore, harmonisation brought by the GDPR varies depending on the provisions under consideration. There are about 50 provisions with open clauses in the GDPR, which give the Member States a margin of discretion when implementing such provisions. This open nature of the GDPR’s provisions also creates national implementation issues, which we will discuss later.
Germany has not specifically enacted a national provision to implement Article 80(2). However, the provisions under the national ‘Law on Injunctions’ which authorise a federation to file proceedings were adopted to transpose the Injunctions Directive. The German national provision already allows associations to take legal action against the alleged perpetrator of an infringement of personal data protection. The Court of Justice pointed out before in Fashion ID, relating to the interpretation of objectives of Directive 95/46 (the predecessor to the GDPR), that the fact that the Member States provide in their national law a possibility for consumer associations to commence legal proceedings against violators of the laws protecting personal data in no way undermines the objectives of that protection and, in fact, contributes to the realisation of those objectives.
The Injunctions Directive has now been replaced by the latest Representative Actions Directive, which states in Recital 15 that the Directive shall be without prejudice to legal acts listed in Annex I and not change or extend the definitions laid down in those legal acts or replace any enforcement mechanism that those legal acts might contain. The Annex contains the GDPR at point 56. Based on the doctrine of the direct effect of EU law, in Facebook Ireland, it was pointed out that the GDPR has an immediate effect in national legal orders without there being a need for national authorities to take implementing measures. Nevertheless, some of these provisions may require the adoption of implementing measures by the Member States (para 110 of that judgment).
Issues of national implementation
While implementing the provision for representative actions under the GDPR, some Member States have adopted broader procedural tools than those in the GDPR. On the other hand, some have more stringent conditions regarding the standing of the associations. The provisions adopted in a few Member States might not even be a satisfactory implementation of the GDPR. In her analysis of the implementation of the GDPR, Alexia Pato, without supporting such an interpretation, points out that a broader regime – e.g., granting standing to a broader range of actors – might be advantageous for private enforcement but may be problematic in the context of the implementation of minimum standards under the GDPR, since the Member States cannot transcend the minimum standards imposed by the regulation. However, it is not clear whether they can have more stringent criteria for standing. If they have stringent criteria, it will reduce the scope for its enforcement, thus creating difficulties in enforcing rights in the Member States with more stringent criteria.
Similarly, the Representative Actions Directive must be transposed into national law by December 2022. The national implementing provisions are bound to vary since the Directive does not replace existing national procedural mechanisms for the protection of collective or individual consumer interests (Recital 11). It only creates minimum standards, for example, requirements for standing only for qualified entities that will file cross-border actions. The different standing requirements will still exist even after the transposition of the Directive in the Member States, as discussed below.
The risk of differing national standing provisions under the GDPR and the Representative Actions Directive
A national measure that comes within the scope of Article 80(2) GDPR or one within the scope of the Representative Actions Directive will exist in parallel or will be incorporated in the same legal statute depending on whether the Member States do not already have a collective redress mechanism in place. The Directive does not regulate all aspects of representative actions but creates minimum criteria for qualified entities to initiate cross-border collective actions. Therefore, there is a risk of differing standing provisions at the national level due to the parallel implementation of the GDPR and the Representative Actions Directive. The differing provisions will create confusion for associations regarding where to initiate proceedings, especially in the context where Member States have stricter standing requirements than those set out under the GDPR or the Representative Actions Directive. For example, the German Musterfeststellungsklage (a so-called Model Declaratory Action to protect consumer interests) already has stricter requirements. A qualified entity complying with lower standards of another Member State may still be able to file a collective action in Germany based on the principle of mutual recognition. However, a German qualified entity complying with the same lower requirements may not be able to file a domestic representative action due to Germany’s restrictive standing requirements (see my detailed analysis here). The above analysis points toward a private enforcement gap in collective consumer redress. This judgment is an example of how this lacuna concerning the standing of non-profit bodies and consumer associations provides room for companies to delay the proceedings. The CJEU could have used the judgment in Meta Platforms to give an additional impetus towards further development in the EU’s collective redress possibilities via clarifying the parallel implementation of the GDPR and the Directive at the national level.
Conclusion
The judgment in Meta Platforms is revolutionary in the field of data protection. It is a guiding light for consumer associations working in this field to provide an effective remedy for consumers. It grants consumer associations a right to file a collective action, even without a specific mandate from data subjects or without subjective identification of individual data subjects. However, it could have done more by reflecting upon the notions of an effective remedy for consumers, especially in light of the national implementation of the standing provisions. Articles 4(2)(f), 12, 114 and 169 TFEU and Article 38 CFREU demonstrate the EU’s commitment to “ensure a high level of consumer protection”. Article 169 TFEU promotes “consumers’ health, safety and economic interests, and their right to information, education, and organisation to protect their interests”. Time has long been due for the efforts to establish collective redress to materialise. The increasing number of mass-harm scandals such as Dieselgate with cross-border implications has highlighted the necessity of well-functioning collective redress mechanisms. It is clear from the judgment that this is indeed starting to materialise.