Tuesday, 10 May 2022

Consumer organisations may bring actions concerning the protection of personal data - CJEU in Meta Platforms Ireland (C-319/20)

A brief update on Meta Platforms Ireland case: on April 28, 2022, the CJEU issued a judgment confirming that consumer protection organisations can bring actions in data breach cases under the GDPR. The Court thus endorsed the position of Advocate General Jean Richard de la Tour, which we reported on earlier.

As a reminder - under Article 80(1) of the GDPR, an organisation or association may lodge a complaint with a supervisory authority or bring an action before a court if the rights of a data subject have been violated as a result of improper processing of personal data. In such a case, the organisation or association should be authorized to act on behalf of the specific individual. However, pursuant to Article 80(2) of the GDPR, Member States may introduce appropriate provisions generally authorizing organisations or associations to take such actions - regardless of the authorization given by a specific individual. The condition is that such an organisation or association must be properly constituted in accordance with the national law, have statutory objectives which are in the public interest, and should be active in the field of the protection of data subjects' rights and freedoms with regard to the protection of their personal data [see Article 80(1) of the GDPR].

The legislation thus allows various entities to take action regardless of whether or not they are acting on behalf of a specific person. Consequently, in the Court's view, such an entity does not need to identify individually in advance the persons whose personal data is being processed in breach of the GDPR. The mere identification of a category or group of persons is sufficient (para. 69). Nor does the bringing of an action require the existence of a specific violation of rights under the GDPR (para. 70). An indication that the processing is likely to affect the rights of persons is sufficient, without the need to prove actual harm suffered by a specific person in a specific situation. In conclusion, the Court stated that this approach is intended to foster the strengthening of individuals' rights in relation to the processing of their personal data and generally contribute to ensuring a high level of protection of personal data. And since a breach of data protection rules may at the same time lead to a breach of consumer protection or unfair commercial practices prohibition rules (as was the case here), it would seem that consumer organisations are entitled to take appropriate actions. Provided, of course, that they act on the basis of the relevant provisions adopted by the Member State according to the Article 80 of the GDPR. 


Thursday, 5 May 2022

Launch of the Financial capability framewok for adults in the EU

We have reported earlier on the joint EU/OECD project on developing the Financial competence framework for adults in the European Union. On 11 January 2022 this framwork has been launched (see the recording of the event here).

The framework promotes a shared understanding of the financial competences adults need to make sound decisions on personal finance. It supports public policies, financial literacy programmes and educational materials to be developed by Member States, educational institutions, industry and individuals. It also supports the exchange of good practices by policy makers and stakeholders within the EU.

Aftre the launch of the framework, the focus is now on its uptake by relevant stakeholders. In parallel, the Commission and the OECD will start work on developing a similar financial competence framework for children and youth, which is expected next year.