On 28 April 2022, the Court of Justice of European Union (CJEU) allows consumer protection associations to take legal action against personal data breaches in the absence of a specific mandate and independently of the infringement of specific rights of a data subject (C-319/20, Meta Platforms Ireland Limited v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.). The particularity is that the action is based on the prohibition of unfair commercial practices, the infringement of a consumer protection law or the prohibition of the use of invalid general terms and conditions.
In its decision, the CJEU validates a German law under article 80(2) GDPR. It is interesting to note that this law had already been validated under Directive 95/46 (CJEU, 29 July 2019, C-40/17, Fashion ID). Article 80(2) states that Member States may provide that consumer protection associations have the right to lodge a complaint if they consider that the rights of a data subject have been infringed as a result of the processing. According to the CJEU, the infringement of rules relating to the protection of personal data may at the same time give rise to an infringement of rules on consumer protection or unfair commercial practices. Therefore, associations can act against infringements of the rights provided for by the GDPR through rules intended to protect consumers or combat unfair commercial practices.
This article was co-authored by Edouard Cruysmans in his capacity of Professional Support Lawyer at Stibbe.