GDPR Collective Litigation Against Facebook
The recent CJEU Case C-319/20, Meta Platforms Ireland provides insights on the interpretation of Article 80(2) of the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), which regulates representative actions in the data protection field. The Court of Justice specified that actions protecting general interests fall under the scope of Article 80(2) GDPR, but leaves the task unmoved to reconcile this provision with the Directive on Representative Actions (DRA).
Meta Platforms Ireland Limited (formerly known as Facebook) is an online social network and the controller of data subjects’ personal data in the EU. Facebook Germany GmbH is a sister company, which undertakes advertising activities in Germany. The dispute sparked when the former offered free games provided by third parties through an App Centre. When users consulted said App and clicked on “play now”, they were requested to accept the general terms and conditions of the application, as well as its data protection policy, which enabled the gaming companies to collect users’ personal data and publish information on their behalf. The Bundesverband der Verbraucherzentralen und Verbraucherverbände (hereafter, VZVB), a German consumer association, brought proceedings in Germany against Meta Platforms Ireland for breaches of German consumer and competition laws, as well as the Federal Data Protection Act (BDSG). VZVB considers that the company failed to comply with the legal requirements to obtain valid consent. Also, the possibility for gaming companies to publish information on behalf of users unduly disadvantage them, which infringes section 307 of the German Civil Code (BGB).
From the Directive 95/46 on Data Protection…
The dispute opposing VZVB to Meta Platforms Ireland broke out under the regime of the Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(hereafter, Data Protection Directive). According to Article 4(1)(a) of the Data Protection Directive, the German Federal Data Protection Act applied. This can be explained by the fact that Meta Platforms Ireland processes personal data in the context of the activities of an establishment located in Germany. Indeed, as Facebook Germany GmbH is responsible for supporting the group’s local advertising activities, the processing of personal data can be linked to such activities (CJEU Case C‑131/12, Google Spain). This is so, even though the sister company does not process the data itself.
Although the Data Protection Directive remained silent on collective litigation, its text did not prevent entities from starting representative actions – such as the one object of analysis – under domestic law (CJEU Case C-40/17, Fashion ID). This explains why VZVB based its standing to sue on Paragraph 4 of the Act on Injunctive Relief for consumer rights and other violations (UKlag), which allows qualified entities to protect consumers at large, by bringing actions for injunctive relief in the above-mentioned substantive law fields. Importantly, this type of action neither contemplates compensatory remedies, nor does it enable the bundling of multiple individual claims.
… to the GDPR…
The dispute eventually reached the German Supreme Court (BGH). By the time it did, however, the Data Protection Directive was derogated by the GDPR (directly applicable as of 25 May 2018). One of the many novelties brought by the GDPR is the introduction of Article 80, which explicitly enables a body, organisation or association (hereafter, representative entities) to start an action on behalf of data subjects under certain conditions. Only entities which are not-for-profit, properly constituted in accordance with the law of a Member State, active in the data protection field, and have statutory objectives in the public interest, may start a representative action. In that regard, two scenarios must be distinguished: on the one hand, Article 80(1) GDPR allows representative entities to exercise several rights, including the right to an effective judicial remedy, as well as the right to compensation and liability where provided for by national law (Articles 77-79 and 82 GDPR). To exercise those rights collectively, data subjects must give a mandate to the representative entity. On the other hand, Article 80(2) GDPR offers Member States a dispositive right: they may enable a representative entity to exercise the rights of Articles 77-79 GDPR without any mandate, “if it considers that the rights of a data subject (..) have been infringed”. In this case, however, the right to compensation is excluded. Article 80(2) GDPR was not transposed in Germany, but collective litigation in the general interest of consumers/data subjects has been possible under domestic law for a long time.
… and the CJEU.
The German Supreme Court doubts that national law, and therefore, the action brought by VZVB, fits the newly enacted framework on representative actions (its judgment is available here). In particular, the referring court questions the compatibility of an action protecting the general interest of consumers/data subjects with Article 80(2) GDPR, the wording of which explicitly requires the infringement of a data subject’s rights. By its request for a preliminary ruling to the CJEU, therefore, the German Supreme Court seeks to determine whether Article 80(2) GDPR precludes a consumer association from bringing an action for data protection breaches in the absence of any mandate and independently of the infringement of individual data protection rights against a controller, on the basis of competition and consumer laws.
VZVB’s Standing to Sue
The CJEU concludes that actions protecting consumers/data subjects at large fall under the scope of Article 80(2) GDPR, and that a consumer association such as VZVB may fall under the personal scope of this provision, as the consumer association acts in the public interest, safeguarding data subjects’ rights in their capacity as consumers (paras 64-66). This is good news: thanks to the broad interpretation of the CJEU, consumer associations may represent data subjects even when the interests that they defend primarily focuses on consumer protection and fair competition. I deduce that those associations shall not be required to expressly include data protection into their bylaws (or “statutory objectives”) to be able to qualify as a representative entity under Article 80 GDPR.
The Broad Scope of Article 80(2) GDPR
According to Article 80(2) GDPR, a representative entity may exercise the rights conferred by this provision if it “considers that the rights of a data subject (…) have been infringed as a result of the processing” of his or her data. The CJEU considers that no identification of an individual breach is necessary for the purpose of bringing a representative action, since the concept of “data subject” encompasses identified, as well as identifiable persons (para. 69). The use of the verb “considers” leads to a similar conclusion: it is sufficient for the representative entity to claim that the rights of data subjects have been infringed. No need to prove that an actual harm is suffered (paras 72-73). Also, authorising VZVB to bring an action protecting the general interest of consumers/data subjects is consistent with the GDPR’s objective consisting in ensuring the effective protection of data subjects’ rights (paras 73-74 and 76).
The literal interpretation of the CJEU seems reasonable to me, even though I have proposed a different reading of Article 80(2) GDPR in the past: To start with, the fact that an entity may litigate “if it considers that the rights of a data subject (…) have been infringed” [emphasis added] might as well support the idea that only collective – as opposed to general – interests are covered. Another indication that general interests are not encompassed in that provision can be found in the title of Article 80 GDPR, which permits the representation of data subjects. This scheme is normally used when individual victims are harmed. Conversely, entities usually protect or defend general interests but do not represent them. Moreover, the title of Article 80 GDPR states that data subjects are the ones to be represented – as opposed to public interests.
Whether a broad interpretation of Article 80(2) GDPR’s scope is necessary to secure the effective protection of data subjects’ rights is questionable. As I see it, including actions protecting general interests within the scope of Article 80(2) GDPR can only be said to ensure a high level of data protection if the alternative is no (representative) action at all. However, under the regime of the Directive (EU) 2020/1828 on representative actions for the protection of the collective interests of consumers – to be implemented by 2023 – these actions can be brought in the data protection field and national legislators may enable representative entities to seek compensation – which is in stark contrast with the explicit prohibition of Article 80(2) GDPR. In that case, the question is not so much whether a given representative action falls within the scope of Article 80(2) GDPR, but whether it could fall out. For a high level of protection to be ensured, the interaction between the GDPR and the DRA needs to be clarified.
The GDPR and the DRA: parallel or exclusive bodies of law?
There are two interpretative approaches: On the one hand, Article 80 GDPR might be interpreted in the sense that it establishes an exclusive framework, whereby all representative actions (including those that seek to protect a general interest) must necessarily respect its requirements. This logically leads to the conclusion that representative entities cannot request compensation if they do not have a mandate, since Article 80(2) GDPR does not allow it and since other procedural paths would not be available. The DRA would therefore lose its practical value in the field of data protection, as Article 80 GDPR would always apply. Such an approach does not particularly enhance the effective protection of data, as it limits access to justice.
On the other hand, one might consider that the DRA and the GDPR offer parallel (or non-exclusive) “litigation channels”. Following this interpretation, representative entities would be able to choose to file their representative actions complying with the requirements of either regime. As a result, actions which do not fall within the scope of Article 80(2) GDPR could still be pursued under national law (transposing the DRA). This is problematic, however, since those two legal regimes are apparently contradictory: first, the DRA imposes stricter conditions regarding standing to sue than the GDPR; second, whereas the DRA does not exclude compensatory remedies, the GDPR bars the right to compensation when the representative entity acts without a mandate.
Is there a way to ensure the harmonious interpretation of both texts? In my opinion, there is. Allowing representative entities, which meet the less stringent GDPR requirements on standing, to seek injunctive relief only, should not prevent representative entities fulfilling the highest requirements of the DRA from seeking compensation, provided that the national procedural scheme permits it (some Member States, such as Germany, do not allow it). To sum up, the proposed interpretation posits that Article 80(2) GDPR only bars the right to compensation when entities are not qualified (in the sense of Article 4 of the DRA). If they are, the national channels transposing the DRA, and compensatory remedies where those are available, remain open.
Conclusion
The CJEU’s interpretation of Article 80(2) GDPR in the case object of analysis is reasonable, but it does not seem to be a game changer. In my opinion, ensuring the compatibility of the GDPR with the DRA is the crux of the matter, and our ability to do so will certainly have an impact on the GDPR’s objective to effectively protect personal data in the EU.