Facts of the case
The case involves a number of data processing practices identified by the German federation of consumer organisations (vzvb) on the Facebook platform back in 2012. Most notably, the federation argued that information about the processing of personal data in connection with third-party apps available in Facebook's App Centre failed to meet the appliable requirements. German courts generally agreed that the vzvb had a point on the merits. However, following the entry into force of the GDPR a doubt was raised if the federation continued to have standing in cases that involved violations of data subjects' rights, independently of specific infringements.
Opinion of the AG
Standing of consumer organisations
The problem sounds familiar? That's because it is. A similar question was considered by the CJEU in 2019, in the context of the previously applicable Data Protection Directive (FashionID case). Back then the Court rejected an argument that consumer organisations should not be entitled to bring claims under data protection rules. According to the AG, this has not changed after the entry into force of the GDPR; quite the contrary, the regulation explicitly provides for collective redress and nothing in Article 80(2) of the act implies that an organisation can only bring proceedings if particular persons affected by the processing have been identified.
The conclusion reached by the AG in respect of the GDPR appears to be well-founded. The reasoning relies on both literal, systematic and teleological interpretation. The AG refers both to the definition of parties entitled to bring representative actions under Article 80 of the GDPR. According to the AG, that definition extends to "all entities which pursue an objective in the public interest that is connected with the protection of personal data", which also applies to consumer protection associations (para. 61). As regards further conditions for bringing representative actions, the AG found it sufficient for an entity to demonstrate "an infringement of the provisions of Regulation 2016/679 designed to protect the subjective rights of data subjects", without the necessity to verify if the rights of one or more specific persons have been infringed (para. 63). In addition, arguments concerning the effectiveness of the GDPR, its consistency with Directive 2020/1828, and a high level of protection of personal data have been cited.
Two broader points
Aside from the above, two further aspects of the opinion merit attention. Firstly, the AG considers the "particular characteristics" of the GDPR as a regulation and connects it to discussions on full harmonisation. The AG notes that while the GDPR "seems, at first sight, to tend towards full harmonisation ... the truth is more complex" (paras. 50-51). According to the AG:
"[T]he legal basis of Regulation 2016/679, namely Article 16 TFEU, precludes the view that in adopting that regulation the European Union would have pre-empted all the ramifications which the protection of personal data may have in other areas relating, in particular, to employment law, competition law or even consumer law, by depriving Member States of the possibility of adopting specific rules in those areas, more or less independently, depending on whether the area in question is governed by EU law. In that sense, although the protection of personal data is by nature cross-sectoral, the harmonisation implemented by Regulation 2016/679 is limited to the aspects specifically covered by that regulation in that area. Apart from those aspects, the Member States remain free to legislate, provided that they do not undermine the content and the objectives of that regulation." (para. 51)
One can wonder to what extent the above finding depends on the legal basis chosen. This is particularly important in the context of the ongoing legislative developments at EU level which equally take form of regulations, but are also based on Article 114 TFUE. A prominent case in point is the proposed Artificial Intelligence Act and the more recent proposal on political targeting. Arguably, doubts about the Member States' discretion can best be resolved by way of careful drafting that makes adequate use of 'opening clauses'.
Secondly, the opinion touches upon the broader relationship between consumer and data protection law. The AG admits that "unlike ... in the United States of America, in EU law the regulations relating to unfair commercial practices and those relating to the protection of personal data have developed separately" and "are thus the subject of different regulatory frameworks" (para. 79). The opinion further observes that unlike EU consumer law, the GDPR "is not based on a consumerist concept of the protection
of natural persons in relation to the processing of personal data, but on the concept that that protection is ... a fundamental right" (para 82). A number of important connections between consumer and data protection law are nonetheless recognized, as illustrated below:
"[T]here is some interaction between the two areas, so that actions falling within the framework of the regulations relating to the protection of personal data may, at the same time and indirectly, contribute to putting an end to an unfair commercial practice. The opposite is also true." (para. 80)
"[I]n the age of the digital economy, data subjects often have the capacity of consumers. It is for that reason that the rules designed to protect consumers are often relied on to ensure that consumers are protected against a processing of their personal data that is contrary to the provisions of Regulation 2016/679." (para. 83)
and finally
[T]here may be an overlap between the representative action provided for in Article 80(2) of Regulation 2016/679 and that provided for in Directive 2020/1828 in order to obtain injunctive relief when ‘data subjects’, within the meaning of that regulation, also have the capacity of ‘consumer’, within the meaning of Article 3(1) of that directive. I see there the sign of complementarity and convergence of the law relating to the protection of personal data with other areas of law, such as consumer law and competition law. With the adoption of that directive, the EU legislature went even further and expressly linked the protection of the collective interests of consumers with compliance with Regulation 2016/679. The effective application of the rules contained in that regulation cannot but be strengthened as a result." (para. 83)
Concluding thought
Overall, the AG not only speaks out in favour of consumer organisations' standing in cases involving data protection violations, but also supports a close relationship between consumer and data protection law. Arguably, both fields can also be aligned conceptually and, indeed, complement each other in the attainment of a high level of consumer and data protection. A judgment endorsing the AG's point of view would thus be very welcome.