Article 80 (2) of the General Data Protection Regulation (GDPR) provides that Member States can entitle properly constituted not-for-profit bodies, organizations or associations that have statutory objectives which are in the public interest, and are active in the field of the protection of data subjects’ rights and freedoms, with the right to lodge complaints with the supervisory authority when they consider that the rights of the data subjects have been infringed.
This group of entities includes consumer associations, which have the right throughout the EU to lodge complaints on behalf of their members. It was not that clear, however, whether they needed a mandate from those members, in this case, consumers, to be able to lodge such complaints. This is precisely what the Court of Justice of the European Union (CJEU) has clarified in its decision of 22 April 2022 in case C‑319/20.
The question at issue was whether the Federation’s legal standing under German law to bring actions for injunctions based on a data protection infringement in the name of consumers violates the provisions of Art. 80 of the GDPR.
The Court explains that both the personal and the material requirements contained in Art. 80 GDPR are satisfied. To the extent that the Federation pursues a public interest purpose consisting of guaranteeing the rights and freedoms of data subjects as consumers (without prejudice that this purpose may be linked to the protection of their personal data), the personal requirement is fulfilled. Concerning the material requirement, as it is only required that the entity concerned ‘considers’ that the rights of a data subject under the GDPR have been infringed, it is also deemed to have been satisfied.
The bottom line of the decision is that Art. 80(2) GDPR does not preclude national provisions that empower consumer associations without a mandate for that purpose to bring class actions to ensure compliance with the rights conferred by the GDPR by means of rules designed to protect consumers or to prevent unfair commercial practices.
The Court adds that in order to bring such class actions, the entity representing the data subjects cannot be required to carry out the prior individual identification of the person who specifically has the status of data subject affected by the data processing allegedly against the provisions of the GDPR. It is neither necessary to allege a concrete breach of the rights conferred by the data protection rules or the existence of actual damage suffered by the data subject as a result of the infringement of his rights.
The Court concludes that this interpretation is consistent with the objective pursued by the GDPR: to ensure effective protection of the freedoms and fundamental rights of natural persons and the reinforcement of the rights of data subjects by providing them with a high level of protection.
The question is perhaps whether or not this decision will be a turning point for consumer associations and whether or not they will follow the Federation’s lead and proactively pursue data protection breaches on their radar without a mandate from their members.