Tuesday 10 May 2022

Consumer organisations may bring actions concerning the protection of personal data - CJEU in Meta Platforms Ireland (C-319/20)

A brief update on Meta Platforms Ireland case: on April 28, 2022, the CJEU issued a judgment confirming that consumer protection organisations can bring actions in data breach cases under the GDPR. The Court thus endorsed the position of Advocate General Jean Richard de la Tour, which we reported on earlier.

As a reminder - under Article 80(1) of the GDPR, an organisation or association may lodge a complaint with a supervisory authority or bring an action before a court if the rights of a data subject have been violated as a result of improper processing of personal data. In such a case, the organisation or association should be authorized to act on behalf of the specific individual. However, pursuant to Article 80(2) of the GDPR, Member States may introduce appropriate provisions generally authorizing organisations or associations to take such actions - regardless of the authorization given by a specific individual. The condition is that such an organisation or association must be properly constituted in accordance with the national law, have statutory objectives which are in the public interest, and should be active in the field of the protection of data subjects' rights and freedoms with regard to the protection of their personal data [see Article 80(1) of the GDPR].

The legislation thus allows various entities to take action regardless of whether or not they are acting on behalf of a specific person. Consequently, in the Court's view, such an entity does not need to identify individually in advance the persons whose personal data is being processed in breach of the GDPR. The mere identification of a category or group of persons is sufficient (para. 69). Nor does the bringing of an action require the existence of a specific violation of rights under the GDPR (para. 70). An indication that the processing is likely to affect the rights of persons is sufficient, without the need to prove actual harm suffered by a specific person in a specific situation. In conclusion, the Court stated that this approach is intended to foster the strengthening of individuals' rights in relation to the processing of their personal data and generally contribute to ensuring a high level of protection of personal data. And since a breach of data protection rules may at the same time lead to a breach of consumer protection or unfair commercial practices prohibition rules (as was the case here), it would seem that consumer organisations are entitled to take appropriate actions. Provided, of course, that they act on the basis of the relevant provisions adopted by the Member State according to the Article 80 of the GDPR.