Introduction
The European Union's General Data Protection Regulation (GDPR)Footnote 1 was originally conceived as a means of fully harmonizing data protection law across the territory of the European Union. As a regulation, the GDPR has direct and uniform effect in member state law without the need for member states to adopt national implementing laws.Footnote 2 However, as the European Court of Justice (ECJ) acknowledged in its well-known 2021 Facebook Ireland judgment,Footnote 3 the GDPR as finally adopted contains a number of optional provisions that allow member states a margin of discretion to limit or expand its scope.
Article 80 of the GDPR (Representation of Data Subjects) sets out two methods by which data subjects’ rights may be vindicated through collective action. Paragraph 1 directly empowers a data subject to authorize a non-profit, public interest organization to lodge an administrative or judicial complaint, and to receive compensation on their behalf. Paragraph 2 states that member states additionally “may provide” for such organization to lodge complaints “independently of a data subject's mandate” if the organization “considers” the rights of a data subject to have been infringed. The right provided in paragraph 2 is available only in those EU member states that choose to provide it.
The predecessor EU legislation to the GDPR, the 95 Directive,Footnote 4 contained no counterpart to Article 80. In its 2019 Fashion ID judgment, however, the ECJ had interpreted that earlier Directive not to preclude member state consumer protection laws that provided such a collective right to vindicate an infringement of data protection law.Footnote 5 The Meta Platforms caseFootnote 6 similarly addresses unresolved issues of the relationship between member state consumer law and EU data protection law—in this case, arising under Article 80(2) of the GDPR.
Background
Meta Platforms Ireland (formerly known as Facebook Ireland) manages the social network's services throughout the European Union and controls the personal data of users in the European Union. Facebook Germany, an affiliate, sells advertising for the social network in Germany. The German Facebook site also contains an App Center, where users may obtain ‘free’ games provided by third parties. A user of Facebook's Germany site who selects a game from the App Center is informed that the gaming company thereby obtains his or her personal data. Facebook's terms and conditions state that by accessing a game, a user has given permission to the third party to make use of such data.
The German Federal Union of Consumer Organizations and Associations (VZVB) sought an injunction against Meta Platforms in a Berlin court, alleging that the third party app provider's acquisition of users’ personal data was unfair under German consumer and competition laws, as well as inconsistent with the GDPR's consent requirement.Footnote 7 After several lower court rulings, the German Federal Court of Justice (Bundesgerichtshof or BGH), the highest appellate body, decided to ask the ECJ, through the preliminary reference procedure,Footnote 8 to examine the relationship between Article 80(2) of the GDPR and the provisions of German law upon which VZVB had relied.
Specifically, the BGH expressed doubt that German law met the requirements for collective actions set forth in Article 80(2) of the GDPR. Germany had not exercised its option to transpose that provision into German law, but its consumer and competition laws had long permitted collective action in the absence of an individual mandate and independently of the infringement of specific rights of a data subject.
ECJ Judgment
The ECJ first concluded that VZVB qualified under Article 80 as a public-interest body authorized to represent data subjects’ rights and interests.Footnote 9 But did its capability to represent consumers’ general interests meet the explicit requirement of Article 80(2) that data subjects’ rights had been infringed? Since Article 80(2) requires only that the organization “considers” such rights to have been infringed, the Court saw no difficulty. “It is sufficient to claim that the data processing concerned is liable to affect the rights which identified or identifiable natural persons derive from [the GDPR], without it being necessary to prove actual harm suffered by the data subject”Footnote 10 (emphasis added).
In other words, standing under Article 80(2) requires only that the association posit the existence of a class of persons reasonably likely to have been harmed—not to plead specific harm to identified persons. As the ECJ Advocate General Opinion preceding the judgment had suggested, there is a close link between the general “preventive function” performed by consumer associations in bringing collective actions and the GDPR's more precise purpose of protecting personal data.Footnote 11 Even where such groups focus primarily on consumer protection and fair competition, they may also exercise their collective rights relating to data protection set forth in Article 80(2), including by seeking injunctive action. The ECJ further cited the existence of a new EU-level directive generally authorizing consumer protection collective actions as support for its view that consumer protection laws implemented at the member state level can provide a basis for actions under Article 80(2) of the GDPR.Footnote 12
Conclusion
The ECJ's deliberate effort to connect consumer law and data protection law may seem exaggerated to a U.S. reader, since in the United States consumer protection and competition laws such as the Federal Trade Commission ActFootnote 13 are regularly relied upon to vindicate privacy interests. But, as the Advocate General pointed out, “unlike the position in the United States of America, in EU law the regulations relating to unfair commercial practices and those relating to the protection of personal data have developed separately” and constitute formally distinct regulatory frameworks.Footnote 14 Nonetheless, the ECJ judgment fairly recognizes that the two areas of EU law do interact and reinforce one another.
Meta Platforms Ireland does not answer all the relevant questions posed by the interaction of these two related bodies of European law, however. For example, the German court had asked the ECJ not only whether Article 80(2) precluded a consumer association—independent of the infringement of specific data subject rights—from bringing proceedings for GDPR breaches, but also whether that provision precluded Meta's competitors from doing so. The ECJ saw that latter question as unnecessary to answer in the factual context presented to it,Footnote 15 but the eventual answer to it obviously could have major commercial significance for technology companies.
Even if consumer associations and other non-profit public interest organizations remain the sole protagonists in collective actions brought under Article 80(2), they will enjoy considerable scope for litigation, in view of the ECJ's holding on the minimal level of individualized harm that must be pleaded. Such groups need not identify particular data subjects nor prove that such persons have actually been harmed, so long as they can theorize an identifiable class of persons liable to have been affected by company action.Footnote 16 This approach varies considerably from concepts of standing and harm in U.S. litigation, for example.
Finally, once the new EU directive on consumer protection collective actions takes effect, further questions are likely to arise regarding how to reconcile its stricter requirements with those of GDPR Article 80(2). One scholar suggests that Article 80(2) collective actions could be limited to injunctive remedies, as was the case in Meta Platforms Ireland, leaving questions of compensation for GDPR breaches to actions under the consumer protection directive.Footnote 17 The Meta Platforms Ireland judgment is thus far from the last word that will be pronounced in a burgeoning area of interaction between EU data protection law and consumer law.
Provisional text
JUDGMENT OF THE COURT (Third Chamber)
28 April 2022Footnote **
(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 80 – Representation of the data subjects by a not-for-profit association – Representative action brought by a consumer protection association in the absence of a mandate and independently of the infringement of specific rights of a data subject – Action based on the prohibition of unfair commercial practices, the infringement of a consumer protection law or the prohibition of the use of invalid general terms and conditions)
In Case C–319/20,
REQUEST for a preliminary ruling under Article 267 TFEU from the Bundesgerichtshof (Federal Court of Justice, Germany), made by decision of 28 May 2020, received at the Court on 15 July 2020, in the proceedings
Meta Platforms Ireland Limited, formerly Facebook Ireland Limited,
v
Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.,
THE COURT (Third Chamber),
composed of A. Prechal, President of the Second Chamber, acting as President of the Third Chamber, J. Passer, F. Biltgen, L.S. Rossi (Rapporteur) and N. Wahl, Judges,
Advocate General: J. Richard de la Tour,
Registrar: M. Krausenböck, Administrator,
having regard to the written procedure and further to the hearing on 23 September 2021,
after considering the observations submitted on behalf of:
– Meta Platforms Ireland Limited, by H.-G. Kamann, M. Braun and H. Frey, Rechtsanwälte, and by V. Wettner, Rechtsanwältin,
– Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V., by P. Wassermann, Rechtsanwalt,
– for the German government, by D. Klebs and J. Möller, acting as Agents,
– the Austrian Government, by A. Posch and Dr G. Kunnert and J. Schmoll, acting as Agents,
– the Portuguese Government, by L. Inez Fernandes and C. Vieira Guerra, P. Barros da Costa and L. Medeiros, acting as Agents,
– the European Commission, initially by F. Erlbacher, H. Kranenborg and D. Nardi, and subsequently by F. Erlbacher and H. Kranenborg, acting as Agents,
after hearing the Opinion of the Advocate General at the sitting on 2 December 2021, gives the following
Judgment
1 This request for a preliminary ruling concerns the interpretation of Article 80(1) and (2) and Article 84(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’).
2 The request has been made in proceedings between Meta Platforms Ireland Limited, formerly Facebook Ireland Limited, whose registered office is in Ireland, and Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (Federal Union of Consumer Organisations and Associations, Germany) (‘the Federal Union’) concerning the infringement by Meta Platforms Ireland of the German legislation on the protection of personal data constituting, at the same time, an unfair commercial practice, an infringement of a law relating to consumer protection and a breach of the prohibition of the use of invalid general terms and conditions.
Legal context European Union law
The GDPR
3 Recitals 9, 10, 13 and 142 of the GDPR state:
‘(9) The objectives and principles of Directive [95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31)] remain sound, but it has not prevented fragmentation in the implementation of data protection across the Union, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity. Differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the Member States may prevent the free flow of personal data throughout the Union. Those differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. Such a difference in levels of protection is due to the existence of differences in the implementation and application of Directive [95/46].
(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. …
…
(13) In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. …
…
(142) Where a data subject considers that his or her rights under this Regulation are infringed, he or she should have the right to mandate a not-for-profit body, organisation or association which is constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest and is active in the field of the protection of personal data to lodge a complaint on his or her behalf with a supervisory authority, exercise the right to a judicial remedy on behalf of data subjects or, if provided for in Member State law, exercise the right to receive compensation on behalf of data subjects. A Member State may provide for such a body, organisation or association to have the right to lodge a complaint in that Member State, independently of a data subject's mandate, and the right to an effective judicial remedy where it has reasons to consider that the rights of a data subject have been infringed as a result of the processing of personal data which infringes this Regulation. That body, organization or association may not be allowed to claim compensation on a data subject's behalf independently of the data subject's mandate.’
4 Article 1 of that regulation, entitled ‘Subject matter and objectives’, provides, in paragraph 1 thereof:
‘This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.’
5 Article 4(1) of the GDPR provides:
‘For the purposes of this Regulation:
(1) “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’
6 Chapter III of the GDPR, which includes Articles 12 to 23, is entitled ‘Rights of the data subject’.
7 Article 12 of that regulation, headed ‘Transparent information, communication and modalities for the exercise of the rights of the data subject’, lay downs, in paragraph 1 thereof:
‘The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.’
8 Article 13 of the GDPR, entitled ‘Information to be provided where personal data are collected from the data subject’, provides, in paragraph 1(c) and (e) thereof:
‘Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
…
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
…
(e) the recipients or categories of recipients of the personal data, if any …’
9 Chapter VIII of that regulation, which comprises Articles 77 to 84, is entitled ‘Remedies, liability and penalties’.
10 Article 77 of the GDPR, headed ‘Right to lodge a complaint with a supervisory authority’, provides, in paragraph 1 thereof:
‘Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.’
11 Article 78 of the GDPR, headed ‘Right to an effective judicial remedy against a supervisory authority’, lays down, in paragraph 1 thereof:
‘Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.’
12 Article 79 of the GDPR, headed ‘Right to an effective judicial remedy against a controller or processor’, provides, in paragraph 1 thereof:
‘Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.’
13 Article 80 of the GDPR, entitled ‘Representation of data subjects’, is worded as follows:
‘1. The data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf where provided for by Member State law.
2. Member States may provide that any body, organisation or association referred to in paragraph 1 of this Article, independently of a data subject's mandate, has the right to lodge, in that Member State, a complaint with the supervisory authority which is competent pursuant to Article 77 and to exercise the rights referred to in Articles 78 and 79 if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing.’
14 Article 82 of that regulation, headed ‘Right to compensation and liability’, provides, in paragraph 1
thereof:
‘Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.’
15 Article 84 of the GDPR, entitled ‘Penalties’, lays down, in paragraph 1 thereof:
‘Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.’
Directive 2005/29/EC
16 The objective of Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (‘Unfair Commercial Practices Directive’) (OJ 2005 L 149, p. 22) is, according to Article 1 thereof, to contribute to the proper functioning of the internal market and achieve a high level of consumer protection by approximating the laws, regulations and administrative provisions of the Member States on unfair commercial practices harming consumers’ economic interests.
17 Under Article 5 of Directive 2005/29, entitled ‘Prohibition of unfair commercial practices’:
‘1. Unfair commercial practices shall be prohibited.
2. A commercial practice shall be unfair if:
(a) it is contrary to the requirements of professional diligence, and
(b) it materially distorts or is likely to materially distort the economic behaviour with regard to the product of the average consumer whom it reaches or to whom it is addressed, or of the average member of the group when a commercial practice is directed to a particular group of consumers.
…
5. Annex I contains the list of those commercial practices which shall in all circumstances be regarded as unfair. …’
18 Article 11(1) of that directive, entitled ‘Enforcement’, provides:
‘Member States shall ensure that adequate and effective means exist to combat unfair commercial practices in order to enforce compliance with the provisions of this Directive in the interest of consumers.
Such means shall include legal provisions under which persons or organisations regarded under national law as having a legitimate interest in combating unfair commercial practices, including competitors, may:
(a) take legal action against such unfair commercial practices;
and/or
(b) bring such unfair commercial practices before an administrative authority competent either to decide on complaints or to initiate appropriate legal proceedings.
It shall be for each Member State to decide which of these facilities shall be available and whether to enable the courts or administrative authorities to require prior recourse to other established means of dealing with complaints, including those referred to in Article 10. These facilities shall be available regardless of whether the consumers affected are in the territory of the Member State where the trader is located or in another Member State.
…’
19 Annex I to Directive 2005/29, which contains the list of unfair commercial practices in all circumstances, provides, in point 26 thereof:
‘Making persistent and unwanted solicitations by telephone, fax, e-mail or other remote media except in circumstances and to the extent justified under national law to enforce a contractual obligation. This is without prejudice to … [Directive 95/46] …’
Directive 2009/22/EC
20 Under Article 1 of Directive 2009/22/EC of the European Parliament and of the Council of 23 April 2009 on injunctions for the protection of consumers’ interests (OJ 2009 L 110, p. 30), entitled ‘Scope’:
‘1. The purpose of this Directive is to approximate the laws, regulations and administrative provisions of the Member States relating to actions for an injunction referred to in Article 2 aimed at the protection of the collective interests of consumers included in the Directives listed in Annex I, with a view to ensuring the smooth functioning of the internal market.
2. For the purposes of this Directive, an infringement means any act contrary to the Directives listed in Annex I as transposed into the internal legal order of the Member States which harms the collective interests referred to in paragraph 1.’
21 Article 7 of Directive 2009/22, entitled ‘Provisions for wider action’, is worded as follows:
‘This Directive shall not prevent Member States from adopting or maintaining in force provisions designed to grant qualified entities and any other person concerned more extensive rights to bring action at national level.’
22 Annex I to Directive 2009/22 contains the list of EU directives referred to in Article 1 thereof. Point 11 of that annex refers to Directive 2005/29.
Directive (EU) 2020/1828
23 Recitals 11, 13 and 15 of Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC (OJ 2020 L 409, p. 1) state:
‘(11) This Directive should not replace existing national procedural mechanisms for the protection of collective or individual consumer interests. Taking into account their legal traditions, it should leave it to the discretion of the Member States whether to design the procedural mechanism for representative actions required by this Directive as part of an existing or as part of a new procedural mechanism for collective injunctive measures or redress measures, or as a distinct procedural mechanism, provided that at least one national procedural mechanism for representative actions complies with this Directive. … If there were procedural mechanisms in place at national level in addition to the procedural mechanism required by this Directive, the qualified entity should be able to choose which procedural mechanism to use.
…
(13) The scope of this Directive should reflect recent developments in the field of consumer protection. Since consumers now operate in a wider and increasingly digitalised marketplace, achieving a high level of consumer protection requires that areas such as data protection, financial services, travel and tourism, energy, and telecommunications be covered by the Directive, in addition to general consumer law. …
…
(15) This Directive should be without prejudice to the legal acts listed in Annex I and therefore it should not change or extend the definitions laid down in those legal acts or replace any enforcement mechanism that those legal acts might contain. For example, the enforcement mechanisms provided for in or based on [the GDPR] could, where applicable, still be used for the protection of the collective interests of consumers.’
24 Article 2 of that directive, headed ‘Scope’, provides, in paragraph 1 thereof:
‘This Directive applies to representative actions brought against infringements by traders of the provisions of Union law referred to in Annex I, including such provisions as transposed into national law, that harm or may harm the collective interests of consumers. This Directive is without prejudice to the provisions of Union law referred to in Annex I. …’
25 Article 24(1) of that directive, entitled ‘Transposition’, provides:
Member States shall adopt and publish, by 25 December 2022, the laws, regulations and administrative provisions necessary to comply with this Directive. They shall immediately inform the Commission thereof.
They shall apply those measures from 25 June 2023.
…’
26 Annex I to Directive 2020/1828, which contains the list of provisions of EU law referred to in Article 2(1) thereof, refers to the GDPR in point 56 thereof.
German law
Law on injunctions
27 Under Paragraph 2 of the Gesetz über Unterlassungsklagen bei Verbraucherrechts- und anderen Verstößen (Unterlassungsklagengesetz – UKlaG) (Law on injunctions against infringements of consumer law and other infringements) of 26 November 2001 (BGBl. 2001 I, p. 3138), in the version applicable to the dispute in the main proceedings (‘the Law on Injunctions’):
‘(1) Any person who infringes rules in place to protect consumers (consumer protection laws), other than in the application or recommendation of general terms and conditions, may be subject to an order to cease and desist or a prohibition order in the interest of consumer protection. …
(2) For the purposes of this provision, “consumer protection laws” means, in particular:
…
11. the rules defining lawfulness
(a) of the collection of personal data of a consumer by an undertaking or
(b) the processing or use of personal data which have been collected by a business in relation to a consumer,
where the data are collected, processed or used for the purposes of publicity, market and opinion research, use by an information agency, a personality and usage profile establishment, of any other data business or for similar commercial purposes.’
28 The Bundesgerichtshof (Federal Court of Justice, Germany) states that, under point 1 of the first sentence of Paragraph 3(1) of the Law on Injunctions, bodies with standing to bring proceedings, within the meaning of Paragraph 4 of that law, may, first, in accordance with Paragraph 1 of that law, seek an injunction against the use of invalid general terms and conditions under Paragraph 307 of the Bürgerliches Gesetzbuch (Civil Code) and, second, seek an injunction against infringements of consumer protection law, within the meaning of Paragraph 2(2) of that law.
Law against unfair competition
29 Paragraph 3(1) of the Gesetz gegen den unlauteren Wettbewerb (Law against unfair competition) of 3 July 2004 (BGB1. 2004 I, p. 1414), in the version applicable to the main proceedings (‘the Law against unfair competition’), provides:
‘Unfair commercial practices shall be prohibited.’
30 Paragraph 3a of the Law against unfair competition is worded as follows:
‘A person shall be considered to be acting unfairly where he or she infringes a statutory provision that is also intended to regulate market behaviour in the interests of market participants and the infringement is liable to have a significantly adverse effect on the interests of consumers, other market participants or competitors.’
31 Paragraph 8 of the Law against unfair competition lays down:
‘(1) Any commercial practice which is unlawful under Paragraph 3 or Paragraph 7 may give rise to an order to cease and desist and, in the event of recurrence, an order to refrain or a prohibition order. …
…
(3) Applications for the injunctions referred to in subparagraph (1) may be made:
…
3. by qualified entities which provide evidence that they are included in the list of qualified entities, in accordance with Paragraph 4 of the [Law on injunctions] …’
The Law on Electronic Media
32 The Bundesgerichtshof (Federal Court of Justice) states that Paragraph 13(1) of the Telemediengesetz (‘the Law on Electronic Media’) of 26 February 2007 (BGB1. 2007 I, p. 179) was applicable until the GDPR came into force. As from that date, that provision has been replaced by Articles 12 to 14 of the GDPR.
33 Under the first sentence of Paragraph 13(1) of the Law on Electronic Media:
‘From the outset of the use, the service provider shall inform the user in a universally comprehensible form of the mode, the extent and the purpose of the collection and use of personal data and of the processing of his or her data in States which do not come within the scope of [Directive 95/46] in so far as he or she has not already been so informed.’
The dispute in the main proceedings and the question referred for a preliminary ruling
34 Meta Platforms Ireland, which manages the provision of services of the online social network Facebook in the European Union, is the controller of the personal data of users of that social network in the European Union. Facebook Germany GmbH, which has its registered office in Germany, promotes the sale of advertising space at the internet address www.facebook.de. The Facebook internet platform contains, inter alia, at the internet address www.facebook.de, an area called ‘App-Zentrum’ (‘App Center’) on which Meta Platforms Ireland makes available to users free games provided by third parties. When consulting the App Center of some of those games, an indication appears informing the user that the use of the application concerned enables the gaming company to obtain a certain amount of personal data and, by that use, permission is given for it to publish data on behalf of that user, such as his or her score and other information. The consequence of that use is that the user accepts the general terms and conditions of the application and its data protection policy. In addition, in the case of a specific game, it is stated that the application has permission to post the status, photos and other information on behalf of that user.
35 The Federal Union, a body which has standing under Paragraph 4 of the Law on Injunctions, considers that the information provided by the games concerned in the App Center is unfair, in particular in terms of the failure to comply with the legal requirements which apply to the obtention of valid consent from the user under the provisions governing data protection. Moreover, it considers that the statement that the application has permission to publish certain personal information of the user on his or her behalf constitutes a general condition which unduly disadvantages the user.
36 In that context, the Federal Union brought an action for an injunction before the Landgericht Berlin (Regional Court, Berlin, Germany) against Meta Platforms Ireland based on Paragraph 3a of the Law against unfair competition, the first sentence of point 11 of Paragraph 2(2) of the Law on Injunctions and the Civil Code. It brought that action independently of a specific infringement of a data subject's right to protection of his or her data and without being mandated to do so by such a person.
37 The Landgericht Berlin (Regional Court, Berlin) ruled against Meta Platforms Ireland, in accordance with the form of order sought by the Federal Union. The appeal brought by Meta Platforms Ireland before the Kammergericht Berlin (Higher Regional Court, Berlin, Germany) was dismissed. Meta Platforms Ireland then brought an appeal on a point of law (Revision) before the referring court against the dismissal decision adopted by the Kammergericht Berlin (Higher Regional Court, Berlin).
38 The referring court considers that the action brought by the Federal Union is well founded, in so far as Meta Platforms Ireland infringed Paragraph 3a of the Law against unfair competition and the first sentence of point 11 of Paragraph 2(2) of the Law on Injunctions, and used an invalid general condition, within the meaning of Paragraph 1 of the Law on Injunctions.
39 However, that court has doubts as to the admissibility of the action brought by the Federal Union. It takes the view that it cannot be ruled out that the Federal Union, which did indeed have standing to bring proceedings on the date on which it brought the action – on the basis of Paragraph 8(3) of the Law against unfair competition and point 1 of the first sentence of Paragraph 3(1) of the Law on Injunctions – lost that status during the proceedings, following the entry into force of the GDPR and, in particular, Article 80(1) and (2) and Article 84(1) thereof. If that were the case, the referring court would have to uphold the appeal on a point of law brought by Meta Platforms Ireland and dismiss the action of the Federal Union, since, under German procedural law, standing to bring proceedings must endure until the end of the proceedings at last instance.
40 According to the referring court, the answer in that regard is not clear from the assessment of the wording, scheme and objectives of the provisions of the GDPR.
41 As regards the wording of the provisions of the GDPR, the referring court notes that the existence of standing to bring proceedings of not-for-profit bodies, organisations or associations which have been properly constituted in accordance with the law of a Member State, pursuant to Article 80(1) of the GDPR, presupposes that the data subject has mandated a body, organisation or association for it to exercise on his or her behalf the rights referred to in Articles 77 to 79 of the GDPR and the right to compensation referred to in Article 82 of the GDPR where the law of a Member State so provides.
42 The referring court states that standing to bring proceedings under Paragraph 8(3)(3) of the Law against unfair competition does not cover such an action brought on the basis of a mandate and on behalf of a data subject in order to assert his or her personal rights. On the contrary, it confers on an association, by virtue of a right peculiar to it and stemming from Paragraph 3(1) and Paragraph 3a of the Law against unfair competition, standing to bring proceedings on an objective basis against infringements of the provisions of the GDPR, independently of the infringement of specific rights of data subjects and of a mandate conferred by them.
43 In addition, the referring court observes that Article 80(2) of the GDPR does not provide for an association's standing to bring proceedings in order to secure the application, objectively, of the law on the protection of personal data since that provision presupposes that the rights of a data subject laid down in the GDPR have actually been infringed as a result of the processing of specific data.
44 Furthermore, an association's standing to bring proceedings, such as that provided for in Paragraph 8(3) of the Law against unfair competition, cannot result from Article 84(1) of the GDPR, under which the Member States are to lay down the rules on other penalties applicable to infringements of that regulation and are to take all measures necessary to ensure that they are implemented. The standing of an association, such as that referred to in Paragraph 8(3) of the Law against unfair competition, cannot be regarded as constituting a ‘penalty’ within the meaning of that provision of the GDPR.
45 As regards the scheme of the provisions of the GDPR, the referring court considers that it may be inferred from the fact that it harmonised, inter alia, the powers of the supervisory authorities that it is principally for those authorities to verify the application of the provisions of that regulation. However, the expression ‘without prejudice to any other … remedy’, which appears in Article 77(1), Article 78(1) and (2) and Article 79(1) of the GDPR, may undermine the argument that oversight of the application of the law is exhaustively governed by that regulation.
46 As regards the objective of the provisions of the GDPR, the referring court notes that the effectiveness of that regulation may support an argument in favour of associations having standing to bring proceedings on the basis of competition law, in accordance with Paragraph 8(3)(3) of the Law against unfair competition, independently of the infringement of specific rights of data subjects, since that would allow an additional opportunity to supervise the application of the law to remain, in order to ensure as high a level as possible of protection of personal data, in accordance with recital 10 of the GDPR. Nonetheless, accepting that associations have standing to bring proceedings under competition law may be considered to run counter to the objective of harmonisation pursued by the GDPR.
47 In the light of those considerations, the Bundesgerichtshof (Federal Court of Justice) decided to stay the proceedings and to refer the following question to the Court of Justice for a preliminary ruling:
‘Do the rules in Chapter VIII, in particular in Article 80(1) and (2) and Article 84(1), of [the GDPR] preclude national rules which – alongside the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the Regulation and the options for legal redress for data subjects – empower, on the one hand, competitors and, on the other, associations, entities and chambers entitled under national law, to bring proceedings for breaches of [the GDPR], independently of the infringement of specific rights of individual data subjects and without being mandated to do so by a data subject, against [the person responsible for that infringement] before the civil courts on the basis of the prohibition of unfair commercial practices or breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions?’
Consideration of the question referred
48 As a preliminary point, it should be noted that, as is apparent, in particular, from paragraph 36 and from paragraphs 41 to 44 above, the dispute in the main proceedings is between a consumer protection association, such as the Federal Union, and Meta Platforms Ireland and concerns the question whether such an association may bring proceedings against that company in the absence of a mandate granted to it for that purpose and independently of the infringement of specific rights of the data subjects.
49 In those circumstances, as the Commission correctly observed in its written observations, the answer to the question referred for a preliminary ruling depends solely on the interpretation of Article 80(2) of the GDPR, since the provisions of Article 80(1) of the GDPR and of Article 84 of the GDPR are not relevant in the present case. First, the application of Article 80(1) of the GDPR presupposes that the data subject has mandated the not-for-profit body, organisation or association referred to in that provision to take on his or her behalf the legal measures provided for in Articles 77 to 79 of the GDPR. It is common ground that that is not the case in the main proceedings, since the Federal Union acts independently of any mandate from a data subject. Second, it is common ground that Article 84 of the GDPR concerns the administrative and criminal penalties applicable to infringements of that regulation, which is also not at issue in the main proceedings.
50 Furthermore, it should be noted that the case in the main proceedings does not raise the question of a competitor's standing to bring proceedings. Consequently, it is only necessary to answer the part of the question which relates to the standing to bring proceedings of associations, bodies and chambers authorised under national law, referred to in Article 80(2) of the GDPR.
51 It follows that the question referred by the referring court must be understood as seeking to ascertain, in essence, whether Article 80(2) of the GDPR must be interpreted as precluding national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of a data subject, against the person allegedly responsible for an infringement of the laws protecting personal data, by alleging infringement of the prohibition of unfair commercial practices, consumer protection legislation or the prohibition of the use of invalid general terms and conditions.
52 In order to answer that question, it must be borne in mind that, as is apparent from recital 10 of the GDPR, that regulation seeks, inter alia, to ensure consistent and homogeneous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data throughout the European Union and to remove obstacles to flows of personal data within the European Union.
53 In that context, Chapter VIII of that regulation governs, inter alia, the legal remedies enabling the protection of the data subject's rights where his or her personal data have been the subject of processing that is allegedly contrary to the provisions of that regulation. The protection of those rights may thus be sought either directly by the data subject or by an authorised entity, whether there is a mandate to that end or not, pursuant to Article 80 of the GDPR.
54 Thus, first of all, the data subject has the right to lodge a complaint himself or herself with a supervisory authority of a Member State or to bring an action before the national civil courts. More specifically, that data subject has the right to lodge a complaint with a supervisory authority, in accordance with Article 77 of the GDPR, the right to an effective judicial remedy against a supervisory authority, pursuant to Article 78 of the GDPR, the right to an effective judicial remedy against a controller or processor, provided for in Article 79 of the GDPR, and the right to obtain from the controller or processor compensation for the harm suffered, under Article 82 of the GDPR.
55 Next, in accordance with Article 80(1) of the GDPR, the data subject has the right to mandate a not-for-profit body, organisation or association, subject to certain conditions, to lodge a complaint on his or her behalf or to exercise the rights referred to in the articles referred to above on his or her behalf.
56 In accordance with Article 80(2) of the GDPR, Member States may provide that any body, organisation or association, independently of a data subject's mandate granted by a data subject, has the right to lodge, in the Member State in question, a complaint with the supervisory authority, pursuant to Article 77 of that regulation, and to exercise the rights referred to in Articles 78 and 79 thereof, if it considers that the rights of a data subject under that regulation have been infringed as a result of the processing of personal data concerning him or her.
57 In that regard, it should be noted that, as is apparent from Article 1(1) of the GDPR, read in the light, inter alia, of recitals 9, 10 and 13 thereof, that regulation seeks to ensure the harmonisation of national legislation on the protection of personal data which is, in principle, full. However, the provisions of that regulation make it possible for Member States to lay down additional, stricter or derogating national rules, which leave them a margin of discretion as to the manner in which those provisions may be implemented (‘opening clauses’).
58 In that regard, it must be recalled that, according to the Court's settled case-law, pursuant to Article 288 TFEU and by virtue of the very nature of regulations and of their function in the system of sources of EU law, the provisions of those regulations generally have immediate effect in the national legal systems without it being necessary for the national authorities to adopt measures of application. Nonetheless, some of those provisions may necessitate, for their implementation, the adoption of measures of application by the Member States (judgment of 15 June 2021, Facebook Ireland and Others, C–645/19, EU:C:2021:483, paragraph 110 and the case-law cited).
59 That is the case, inter alia, of Article 80(2) of the GDPR, which leaves the Member States a discretion with regard to its implementation. Thus, in order for it to be possible to proceed with the representative action without a mandate provided for in that provision, Member States must make use of the option made available to them by that provision to provide in their national law for that mode of representation of data subjects.
60 However, as the Advocate General observed, in points 51 and 52 of his Opinion, when the Member States exercise the option granted to them by such an opening clause, they must use their discretion under the conditions and within the limits laid down by the provisions of the GDPR and must therefore legislate in such a way as not to undermine the content and objectives of that regulation.
61 In this instance, as was confirmed by the German Government at the hearing in the present case, the German legislature did not adopt, following the entry into force of the GDPR, particular provisions specifically designed to implement Article 80(2) of that regulation in its national law. The national legislation at issue in the main proceedings, adopted in order to transpose Directive 2009/22, already allows consumer protection associations to bring legal proceedings against the person allegedly responsible for an infringement of the laws protecting personal data. That government observes, moreover, that, in its judgment of 29 July 2019, Fashion ID (C–40/17, EU:C:2019:629), concerning the interpretation of the provisions of Directive 95/46, the Court held that those provisions do not preclude that national legislation.
62 In those circumstances, as the Advocate General observed in point 60 of his Opinion, it is necessary, in essence, to ascertain whether the national rules at issue in the main proceedings fall within the scope of the discretion conferred on each Member State by Article 80(2) of the GDPR and thus to interpret that provision taking into account its wording and the scheme and objectives of that regulation.
63 In that regard, it should be noted that Article 80(2) of the GDPR allows Member States to provide for a representative action mechanism against the person allegedly responsible for an infringement of the laws protecting personal data, while setting out a number of requirements at the level of the personal and material scope which must be complied with for that purpose.
64 As regards, in the first place, the personal scope of such a mechanism, standing to bring proceedings is conferred on a body, organisation or association which meets the criteria set out in Article 80(1) of the GDPR. In particular, that provision refers to ‘not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data’.
65 It must be held that a consumer protection association, such as the Federal Union, may fall within the scope of that concept in that it pursues a public interest objective consisting in safeguarding the rights and freedoms of data subjects in their capacity as consumers, since the attainment of such an objective is likely to be related to the protection of the personal data of those persons.
66 The infringement of the rules intended to protect consumers or to combat unfair commercial practices – infringement which a consumer protection association, such as the Federal Union, aims to prevent and penalise, inter alia by recourse to actions for an injunction provided for in the applicable national legislation – may be related, as in the present case, to the infringement of the rules on the protection of personal data of those consumers.
67 As regards, in the second place, the material scope of that mechanism, the exercise of the representative action provided for in Article 80(2) of the GDPR by an entity meeting the conditions referred to in paragraph 1 of that article presupposes that that entity, independently of any mandate conferred on it, ‘considers that the rights of a data subject under [that r]egulation have been infringed as a result of the processing’ of his or her personal data.
68 In that regard, it must be stated, first, that for the purposes of bringing a representative action, within the meaning of Article 80(2) of the GDPR, such an entity cannot be required to carry out a prior individual identification of the person specifically concerned by data processing that is allegedly contrary to the provisions of the GDPR.
69 It is sufficient to note that the concept of ‘data subject’, within the meaning of Article 4(1) of that regulation, covers not only an ‘identified natural person’, but also an ‘identifiable natural person’, namely a natural person ‘who can be identified’, directly or indirectly, by reference to an identifier such as, inter alia, a name, an identification number, location data or an online identifier. In those circumstances, the designation of a category or group of persons affected by such treatment may also be sufficient for the purpose of bringing such representative action.
70 Secondly, under Article 80(2) of the GDPR, the bringing of a representative action is also not subject to the existence of a specific infringement of the rights which a person derives from the data protection rules.
71 As is apparent from the very wording of that provision, recalled in paragraph 67 of the present judgment, the lodging of a representative action presupposes only that the entity concerned ‘considers’ that the rights of a data subject laid down in that regulation have been infringed as a result of the processing of his or her personal data and therefore alleges the existence of data processing that is contrary to the provisions of that regulation.
72 It follows that, in order to recognise that such an entity has standing to bring proceedings under that provision, it is sufficient to claim that the data processing concerned is liable to affect the rights which identified or identifiable natural persons derive from that regulation, without it being necessary to prove actual harm suffered by the data subject, in a given situation, by the infringement of his or her rights.
73 Such an interpretation is consistent with the requirements stemming from Article 16 TFEU and Article 8 of the Charter of Fundamental Rights of the European Union and, thus, with the objective pursued by the GDPR consisting in ensuring effective protection of the fundamental rights and freedoms of natural persons and, in particular, of ensuring a high level of protection of the right of every person to the protection of personal data concerning him or her (see, to that effect, judgment of 15 June 2021, Facebook Ireland and Others, C–645/19, EU:C:2021:483, paragraphs 44, 45 and 91).
74 Authorising consumer protection associations, such as the Federal Union, to bring, by means of a representative action mechanism, actions seeking to have processing contrary to the provisions of that regulation brought to an end, independently of the infringement of the rights of a person individually and specifically affected by that infringement, undoubtedly contributes to strengthening the rights of data subjects and ensuring that they enjoy a high level of protection.
75 Furthermore, it should be noted that the bringing of such a representative action, in so far as it makes it possible to prevent a large number of infringements of the rights of data subjects by the processing of their personal data, could prove more effective than the action that a single person individually and specifically affected by an infringement of his or her right to the protection of his or her personal data may bring against the person responsible for that infringement.
76 As the Advocate General observed in point 76 of his Opinion, the preventive function of actions brought by consumer protection associations, such as the Federal Union, could not be guaranteed if the representative action provided for in Article 80(2) of the GDPR allowed only the infringement of the rights of a person individually and specifically affected by that infringement to be invoked.
77 In the third place, it is still necessary to ascertain, as requested by the referring court, whether Article 80(2) of the GDPR precludes the bringing of a representative action independently of a specific infringement of a right of a data subject and of a mandate conferred by that data subject, where infringement of data protection rules has been alleged in the context of an action seeking to review the application of other legal rules intended to ensure consumer protection.
78 In that regard, it should be noted at the outset that, as has been observed, in essence, in paragraph 66 of the present judgment, the infringement of a rule relating to the protection of personal data may at the same time give rise to an infringement of rules on consumer protection or unfair commercial practices.
79 Therefore, as the Advocate General observed in point 72 of his Opinion, that provision does not preclude the Member States from exercising the option it offers them in that consumer protection associations are entitled to take action against infringements of the rights provided for by the GDPR through, as the case may be, rules intended to protect consumers or combat unfair commercial practices, such as those provided for by Directive 2005/29 and Directive 2009/22.
80 That interpretation of Article 80(2) of the GDPR is moreover supported by Directive 2020/1828 which repeals and replaces, as from 25 June 2023, Directive 2009/22. In that context, it must be observed that, in accordance with Article 2(1) thereof, Directive 2020/1828 applies to representative actions brought in relation to traders’ infringements of the provisions of EU law referred to in Annex I of that directive, which mentions the GDPR in point 56.
81 It is true that Directive 2020/1828 is not applicable in the context of the dispute in the main proceedings and its transposition deadline has not yet expired. However, it contains several elements which confirm that Article 80 of the GDPR does not preclude the bringing of additional representative actions in the field of consumer protection.
82 Although, as is apparent from recital 11 of that directive, it remains possible to provide a procedural mechanism for additional representative actions in the field of consumer protection, the application mechanisms provided for in the GDPR or based on that regulation, such as that provided for in Article 80 of that regulation, cannot be replaced or amended, as stated in recital 15 of that directive, and they may thus be used to protect the collective interests of consumers.
83 In the light of all the foregoing considerations, the answer to the question referred is that Article 80(2) of the GDPR must be interpreted as not precluding national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data, on the basis of the infringement of the prohibition of unfair commercial practices, a breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions, where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation.
Costs
84 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.
On those grounds, the Court (Third Chamber) hereby rules:
Article 80(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as not precluding national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data, on the basis of the infringement of the prohibition of unfair commercial practices, a breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions, where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation.
[Signatures]