New ECJ referral on representative actions in data protection law

By its order of 10 November 2022, the German Federal Court of Justice (Bundesgerichtshof) suspended the proceedings in the Verbraucherzentrale Bundesverband v Meta Platform Ireland Limited case again. After the European Court of Justice (the “ECJ”) had cleared the path for representative actions in data protection law by its judgment of 28 April 2022, the German Federal Court has now referred another question regarding the scope of Article 80(2) GDPR for a preliminary ruling, this time on the interpretation of an infringement “as a result of the processing”.

Background

In the dispute, the German Bundesverband der Verbraucherzentralen, the Federation of German Consumer Organisations, complained that the information given below the “Play Now“ button in the defendant’s app centre was in breach of the statutory requirements to obtain valid consent from the user for data protection law purposes. The plaintiff also complained that a concluding reference constituted a general business condition that was in its view unreasonably disadvantageous to the user.

As already reported in our news alert of 13 June 2022, by its order of 28 May 2020 the German Federal Court of Justice requested the ECJ to provide a preliminary ruling on the question of whether the provisions in Article 80(1) and (2) and Article 84(1) GDPR conflict with national legislation allowing competitors and likewise associations, entities and chambers entitled under national law to bring proceedings for GDPR breaches against an infringer before the civil courts independently of the infringement of specific rights of individual data subjects and without being instructed to do so by a data subject.

On 28 April 2022, the ECJ decided against the Federal Court’s view that the standing to bring proceedings may result from Article 80(2) GDPR. It held that in order to protect consumer interests, a consumer protection association may bring legal proceedings against the person allegedly responsible for infringing the protection of personal data, irrespective of the specific infringement, on the grounds that the prohibition of unfair commercial practices, consumer protection legislation or the prohibition of the use of invalid general terms and conditions has been violated. However, according to the ECJ, this requires that such data processing is able to affect the rights of identified or identifiable natural persons.

New suspension of the proceedings and referral to the ECJ

Following the oral hearing on 29 September 2022, the German Federal Court of Justice suspended the proceedings again. The Court’s order for reference of 10 November 2022 is mainly based on the assumption that the provision in Article 80(2) GDPR, which allows Member States to provide for procedural mechanisms for representative actions against the alleged infringer of the protection of personal data, only exists where the suing association claims the infringement of a data subject’s rights “as a result of the processing”.

The German Federal Court pointed out that the standing to bring proceedings conferred on the plaintiff by Section 8(3) No. 3 of the German Act against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb) and Section 3(1) sentence 1 No. 1 of the German Act on Injunctions against Infringements of Consumer Law and other Infringements (Unterlassungsklagengesetz) must fall within both the personal and material scope of Article 80 (2) GDPR. The Court held that, being a consumer protection association, the plaintiff is covered by the personal scope of Article 80 (2) GDPR. Whether, however, the requirements for the material scope are also fulfilled cannot be answered beyond any doubt according to the German Court.

In this respect, the German Federal Court in particular focuses on the requirement under Article 80(2) GDPR stating that the rights of the data subjects must have been infringed “as a result of the processing”. According to the Court, it is unclear whether such “processing” also includes the breach of the obligation at issue, i.e. the obligation to provide information on the purpose and scope of the consent. Ultimately, this is about whether “processing” as defined in Article 4(2) GDPR also means the obligation under Article 12(1) sentence 1 and Article 13(1)(c) and (e) GDPR to provide information to the data subject on the purpose of the processing and the recipients of personal data in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

Even if those obligations to provide information were to fall under “processing”, the German Federal Court further asks whether in the case at hand the infringement occurred “as a result” of the processing within the meaning of Article 80(2) GDPR. According to the German Federal Court, the wording “as a result” may suggest that the standing to bring proceedings by way of representative action relates to infringements which are the result of a processing operation as defined in Article 4(2)GDPR.

Conclusion and outlook

It remains to be seen how the ECJ will decide on the question referred to it. The German Federal Court of Justice already noted that eventually it may not be possible in the case at hand to successfully invoke Article 80(2) GDPR in support of the claimed standing to bring proceedings.