This document is an excerpt from the EUR-Lex website
Document 62020CC0319
Opinion of Advocate General Richard de la Tour delivered on 2 December 2021.#Meta Platforms Ireland Limited v Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband eV.#Request for a preliminary ruling from the Bundesgerichtshof.#Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 80 – Representation of the data subjects by a not-for-profit association – Representative action brought by a consumer protection association in the absence of a mandate and independently of the infringement of specific rights of a data subject – Action based on the prohibition of unfair commercial practices, the infringement of a consumer protection law or the prohibition of the use of invalid general terms and conditions.#Case C-319/20.
Opinion of Advocate General Richard de la Tour delivered on 2 December 2021.
Meta Platforms Ireland Limited v Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband eV.
Request for a preliminary ruling from the Bundesgerichtshof.
Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 80 – Representation of the data subjects by a not-for-profit association – Representative action brought by a consumer protection association in the absence of a mandate and independently of the infringement of specific rights of a data subject – Action based on the prohibition of unfair commercial practices, the infringement of a consumer protection law or the prohibition of the use of invalid general terms and conditions.
Case C-319/20.
Opinion of Advocate General Richard de la Tour delivered on 2 December 2021.
Meta Platforms Ireland Limited v Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband eV.
Request for a preliminary ruling from the Bundesgerichtshof.
Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 80 – Representation of the data subjects by a not-for-profit association – Representative action brought by a consumer protection association in the absence of a mandate and independently of the infringement of specific rights of a data subject – Action based on the prohibition of unfair commercial practices, the infringement of a consumer protection law or the prohibition of the use of invalid general terms and conditions.
Case C-319/20.
Court reports – general – 'Information on unpublished decisions' section
ECLI identifier: ECLI:EU:C:2021:979
RICHARD DE LA TOUR
delivered on 2 December 2021 ( 1 )
Case C‑319/20
Facebook Ireland Limited
v
Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.
(request for a preliminary ruling from the Bundesgerichtshof (Federal Court of Justice, Germany))
(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 80(2) – Right to an effective judicial remedy – Representation of the data subjects by a not-for-profit association – Standing to bring proceedings of a consumer protection association)
I. Introduction
1. |
In the modern economy, marked by the boom in the digital economy, personal data processing is liable to affect individuals not only in their capacity as natural persons enjoying the rights conferred by Regulation (EU) 2016/679, ( 2 ) but also in their capacity as consumers. |
2. |
Because of that capacity, it is increasingly common for consumer protection associations to initiate actions for injunctions against the conduct of certain data controllers that infringes rights protected by that regulation and at the same time infringes rights protected by other rules resulting both from EU law and from relevant national law relating, in particular, to the protection of consumer rights and to the combat against unfair commercial practices. |
3. |
The present request for a preliminary ruling was made in proceedings between the Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (Federation of German Consumer Organisations; ‘the Federation’) and Facebook Ireland, whose registered office is in Ireland. The Federation takes issue with Facebook Ireland for an infringement of the German legislation on the protection of personal data that, at the same time, amounts to an unfair commercial practice, an infringement of a law on consumer protection and a breach of the prohibition on the use of invalid general conditions. |
4. |
By the question referred, the Court is asked, essentially, to interpret Article 80(2) of Regulation 2016/679 in order to determine whether that provision precludes consumer protection associations from retaining, following the entry into force of that regulation, the standing to bring proceedings that national law confers on them in order to obtain injunctions against conduct that constitutes both an infringement of the rights conferred by that regulation and an infringement of the rules designed to protect consumer rights and to combat unfair commercial practices. In so far as such standing to bring proceedings had been deemed by the Court to be compatible with Directive 95/46/EC, ( 3 ) it will be for the Court ( 4 ) to say whether Regulation 2016/679 has altered the legal position on that point. |
II. Legal framework
A. Regulation 2016/679
5. |
Article 80 of Regulation 2016/679, entitled ‘Representation of data subjects’, is worded as follows: ( 5 ) ‘1. The data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf where provided for by Member State law. 2. Member States may provide that any body, organisation or association referred to in paragraph 1 of this Article, independently of a data subject’s mandate, has the right to lodge, in that Member State, a complaint with the supervisory authority which is competent pursuant to Article 77 and to exercise the rights referred to in Articles 78 and 79 if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing.’ |
B. German law
6. |
Paragraph 3(1) of the Gesetz gegen den unlauteren Wettbewerb (Law against unfair competition) ( 6 ) of 3 July 2004, in the version applicable to the main proceedings, provides: ‘Unfair commercial practices shall be prohibited.’ |
7. |
Paragraph 3a of the UWG is worded as follows: ‘A person shall be considered to be acting unfairly where he or she infringes a statutory provision that is also intended to regulate market behaviour in the interests of market participants and the infringement is liable to have a significantly adverse effect on the interests of consumers, other market participants or competitors.’ |
8. |
Paragraph 8(1) and (3) of the UWG provides: ‘(1) Any commercial practice which is unlawful under Paragraph 3 or Paragraph 7 may give rise to an order to cease and desist and, where there is a risk of recurrence, to a prohibition order. An application for a prohibition order may be made as from the time at which there is a risk of such unlawful practice within the meaning of Paragraph 3 or Paragraph 7 occurring. … (3) Applications for the orders referred to in subparagraph 1 may be lodged by: …
…’ |
9. |
Paragraph 2 of the UKlaG provides: ‘(1) Anyone who, other than by the use or recommendation of general terms and conditions, infringes the rules on consumer protection (consumer protection laws) may be subject to an injunction for the future and ordered to cease immediately in the interest of consumer protection … (2) For the purposes of this provision, “consumer protection” means, in particular: …
where the data are collected, processed or used for purposes of advertising, market and opinion research, use by an information agency, a personality and usage profile establishment, of any other data business or for similar commercial purposes. …’ |
10. |
The Bundesgerichtshof (Federal Court of Justice, Germany) states that, under Paragraph 3(1), first sentence, point 1, of the UKlaG, the bodies with standing to bring proceedings, within the meaning of that provision, may seek injunctions for infringements of the legislation on consumer protection, which, in accordance with Paragraph 2(2), first sentence, point 11 of that law, also includes the provisions which relate to the lawfulness of the collection, processing and use, by a business, of the personal data of a consumer for advertising purposes. In addition, still under Paragraph 3(1), first sentence, point 1 of the UKlaG, the bodies with standing to bring proceedings may claim, in accordance with Paragraph 1 of the UKlaG, an injunction against the use of general terms and conditions which are invalid under Paragraph 307 of the Bürgerliches Gesetzbuch (Civil Code), where they consider that those general terms and conditions infringe a provision relating to data protection. |
11. |
Paragraph 13(1) of the Telemediengesetz (Law on electronic media) ( 9 ) of 26 February 2007 is worded as follows: ‘From the outset of the use, the service provider must provide the user in a universally comprehensible form of the mode, the extent and the purpose of the collection and use of personal data and of the processing of his or her data in States which do not come within the scope of [Directive 95/46] in so far as he or she has not already been so informed. In automated procedures, which permit the user to be identified subsequently and which prepare for the collection or use of personal data, the user must be informed at the outset of that procedure. The user must be able to consult the content of that information at any time.’ |
III. The facts of the dispute in the main proceedings and the question referred for a preliminary ruling
12. |
In Germany, the Federation is included on the list of entities with standing to bring proceedings under Paragraph 4 of the UKlaG. Facebook Ireland operates, at the address www.facebook.de, the internet platform Facebook, which permits the exchange of personal data and other data. |
13. |
The internet platform Facebook includes an area called ‘App-Zentrum’ (‘App Centre’) on which Facebook Ireland, inter alia, makes free games supplied by third parties available to its users. When accessing certain games in the App Centre on 26 November 2012, the user could see certain information under the ‘Sofort spielen’ (‘Play now’) button. It follows, in essence, from that information that the use of the app in question enabled the company having supplied the games to obtain certain personal data and authorised it to post, on behalf of the user, certain information, such as his or her score. That use entailed acceptance by the user of the general terms and conditions of the app and of its data protection policy. In addition, in the case of the game Scrabble, it is stated that the app is authorised to post the status, photos and other information on behalf of the user. |
14. |
The Federation takes issue with the presentation of the information supplied under the ‘Play now’ button of the App Centre on the ground that it is unfair, in particular on the ground of failure to comply with the statutory conditions that apply to the obtention of the user’s valid consent under the provisions governing data protection. In addition, it considers that the final notice in the case of the game Scrabble is a general condition which is unreasonably detrimental to the user. |
15. |
In that context, the Federation brought an action before the Landgericht Berlin (Regional Court, Berlin, Germany) for an injunction against Facebook Ireland. The referring court states that that action was brought independently of a specific infringement of the data protection rights of a data subject and without a mandate from a data subject. |
16. |
The Federation submitted that Facebook Ireland should be prohibited, subject to periodic penalty payments, from ‘presenting games, in the context of commercial activities aimed at consumers permanently resident in … Germany, on the website corresponding to the address www.facebook.com, and in the “App Centre”, in such a way that, by clicking on a button such as “[Play now]”, the consumer declares that the game operator obtains, via the social network operated by [Facebook Ireland], information on the personal data on that website and is authorised to transmit (publish) information on behalf of the consumer …’. |
17. |
The Federation also asked that Facebook Ireland be prohibited from ‘including in agreements with consumers habitually resident in … Germany the following provision or provisions having an identical content relating to the use of applications (apps) in the context of a social network, and from stating the provisions relating to the transmission of data to the games operators: “Diese Anwendung darf Statusmeldungen, Fotos und mehr in deinem Namen posten” [(This app may post status messages, photos and more on your behalf)]’. |
18. |
The Landgericht Berlin (Regional Court, Berlin) made the order sought by the Federation against Facebook Ireland. Facebook Ireland’s appeal before the Kammergericht Berlin (Higher Regional Court, Berlin, Germany) was dismissed. |
19. |
Facebook Ireland lodged an appeal on a point of law before the referring court against the decision of the appellate court. |
20. |
As regards the substance, the referring court considers that the appellate court was correct to find that the Federation’s submissions were well founded. By failing to comply with the obligations to provide information resulting from the first clause of the first sentence of Paragraph 13(1) of the TMG, Facebook Ireland infringed Paragraph 3a of the UWG and the first sentence of point 11 of Paragraph 2(2) of the UKlaG. The appellate court correctly considered that the provisions of Paragraph 13 of the TMG at issue in the present case are statutory provisions governing the conduct of market participants within the meaning of Paragraph 3a of the UWG. They are also provisions which, in accordance with point 11(a) of the first sentence of Paragraph 2(2) of the UKlaG, govern the lawfulness of the collection, processing or use by a business of the personal data of a consumer which were collected, processed or used for advertising purposes. The referring court considers, moreover, that by failing to comply with the obligations to provide information in relation to data processing that are applicable in the present case, Facebook Ireland relied on a general condition that is invalid for the purposes of Paragraph 1 of the UKlaG. |
21. |
The referring court has doubts, however, as to whether the appellate court was correct to consider that the Federation’s action was admissible. It questions whether a consumer protection association, such as the Federation, still has, since the entry into force of Regulation 2016/679, standing to bring proceedings, by lodging an action before the civil courts, against infringements of that regulation, independently of an actual infringement of the rights of individual data subjects and without being mandated by them, by invoking an infringement of the law within the meaning of Paragraph 3a of the UWG, infringement of a law on consumer protection within the meaning of point 11 of the first sentence of Paragraph 2(2) of the UKlaG or even the use of a general term or condition that is invalid in application of Paragraph 1 of the UKlaG. |
22. |
The referring court observes that the admissibility of the action was not in doubt before the entry into force of Regulation 2016/679. The Federation was authorised to bring proceedings for an injunction before the civil courts in accordance with Paragraph 8(3)(3) of the UWG and point 1 of the first sentence of Paragraph 3(1) of the UKlaG. |
23. |
According to the referring court, it is possible that that legal regime has been altered owing to the entry into force of Regulation 2016/679. |
24. |
As regards the substance, the referring court observes that Paragraph 13(1) of the TMG has no longer been applicable since the entry into force of Regulation 2016/679, as the relevant obligations to provide information are now those resulting from Articles 12 to 14 of Regulation 2016/679. Thus, according to the referring court, Facebook Ireland has not complied with its obligation under the first sentence of Article 12(1) of that regulation, which consists in providing to the data subject, in a concise, transparent, intelligible and easily accessible form, using clear and plain language, the information referred to in Article 13(1)(c) and (e) of that regulation, which relates to purposes of the processing of the data and to the recipient of the personal data. |
25. |
As regards the admissibility of the action, it is, according to the referring court, debatable whether bodies with standing to bring proceedings within the meaning of Paragraph 4 of the UKlaG have been authorised, since the entry into force of Regulation 2016/679 and in accordance with Paragraph 8(3)(3) of the UWG, to bring legal proceedings against infringements of the provisions of that regulation, which, pursuant to the second paragraph of Article 288 TFEU, are directly applicable, by relying on an infringement of the law within the meaning of Paragraph 3a of the UWG. |
26. |
In that regard, the referring court states that there are diverging points of view as to whether Regulation 2016/679 itself exhaustively governs the supervision of the application of its provisions. |
27. |
It observes, as concerns the wording of Regulation 2016/679, that the standing to bring proceedings of an entity such as the Federation, on the basis of Paragraph 8(3)(3) of the UWG, is not covered by Article 80(1) of that regulation, in so far as the action for an injunction at issue in the main proceedings was not mandated by and on behalf of a data subject for the purpose of exercising his or her personal rights. The question is, on the contrary, whether the Federation has standing to bring proceedings on the basis of a right which is peculiar to it, which would allow it, in the event of infringement of the law within the meaning of Paragraph 3a of the UWG, to bring proceedings against infringements of the provisions of that regulation on an objective basis, independently of the infringement of the actual rights of individual data subjects and of a mandate to act on their behalf. |
28. |
The referring court observes that the Federation’s standing to bring proceedings in order to secure the application, objectively, of the law relating to the protection of personal data is not provided for in Article 80(2) of Regulation 2016/679. Although that provision does indeed permit an action to be brought by such an entity independently of any mandate given by a data subject, it is however necessary for the rights of a data subject, as provided for in that regulation, to have been infringed by a processing. Consequently, Article 80(2) of that regulation also does not authorise, in the light of its wording, the standing to bring proceedings of associations which rely on objective infringements of the law relating to the protection of personal data, independently of an infringement of the subjective rights of a particular data subject, by relying, as in the present case, on Paragraph 3a and Paragraph 8(3)(3) of the UWG. The same conclusion can be drawn from the second sentence of recital 142 of Regulation 2016/679, which also refers to the infringement of the rights of a data subject as a condition of an association’s standing to bring proceedings independently of a mandate from the data subject in question. |
29. |
Furthermore, an association’s standing to bring proceedings, such as that provided for in Paragraph 8(3) of the UWG, cannot, according to the referring court, result from Article 84(1) of Regulation 2016/679, under which Member States are to lay down the rules on other penalties applicable to infringements of that regulation and are to take all measures necessary to ensure that they are implemented. In fact, an association’s standing to bring proceedings, such as that referred to in Paragraph 8(3) of the UWG, cannot be regarded as a ‘penalty’ for the purposes of that provision of the regulation. |
30. |
The referring court observes, moreover, that the structure of Regulation 2016/679 is such that it cannot be determined with certainty whether the standing of a body to bring proceedings on the basis of Paragraph 8(3)(3) of the UWG, that is to say, on the basis of a provision designed to combat unfair competition, may still be recognised since the entry into force of that regulation. In its view, it may be inferred from the fact that that regulation confers on the supervisory authorities extended supervisory and investigative powers and the power to adopt corrective measures that it is primarily for those authorities to oversee the application of the provisions of that regulation. That would be inconsistent with a broad interpretation of Article 80(2) of Regulation 2016/679. The referring court also observes that the adoption of national measures to implement a regulation is generally permitted only where it is expressly authorised. However, the expression ‘without prejudice to any other … remedy’, which appears in Article 77(1), Article 78(1) and (2) and Article 79(1) of that regulation, may undermine the argument that oversight of the application of the law is exhaustively governed by that regulation. |
31. |
As regards the objective of Regulation 2016/679, the effectiveness of that regulation may support an argument in favour of associations having standing to bring proceedings on the basis of competition law, in accordance with Paragraph 8(3)(3) of the UWG, independently of the infringement of specific rights of data subjects, since that would allow an additional opportunity to supervise the application of the law to remain, in order to ensure as high a level as possible of the protection of personal data, in accordance with recital 10 of that regulation. Nonetheless, accepting that associations have standing to bring proceedings on the basis of competition law may be considered to run counter to the objective of harmonisation pursued by that regulation. |
32. |
The referring court also expresses doubts as to the continuation, after the entry into force of Regulation 2016/679, of the standing of the bodies referred to in point 1 of the first sentence of Paragraph 3(1) of the UKlaG to bring proceedings in the event of an infringement of the provisions of that regulation, by means of actions for failure to comply with a law relating to consumer protection, within the meaning of point 11 of the first sentence of Paragraph 2(2) of the UKlaG. The same applies with regard to the standing of a consumer protection association, in accordance with Paragraph 1 of the UKlaG, to bring proceedings for an injunction against the use of general terms and conditions which are invalid, within the meaning of Paragraph 307 of the Civil Code. |
33. |
Even on the assumption that the various national provisions which, before the entry into force of Regulation 2016/679, formed the basis of the standing of bodies to bring proceedings can be considered to be an anticipated implementation of Article 80(2) of that regulation, in order to be recognised in the present case as having standing to bring proceedings, the Federation would, according to the referring court, be required to claim that the rights of a data subject, provided for in that regulation, were infringed as a result of a processing. That condition is not satisfied. |
34. |
That court emphasises that the Federation’s submissions relate only to the abstract supervision of the presentation of the App Centre by Facebook Ireland in the light of the law on data protection and that the Federation has not claimed that there has been an infringement of the rights of an identified or identifiable natural person, within the meaning of Article 4(1) of Regulation 2016/679. |
35. |
If the inevitable conclusion were that, following the entry into force of Regulation 2016/679, the Federation has lost its standing to bring proceedings based on the provisions of German law cited above, the referring court states that it would have to uphold Facebook Ireland’s appeal on a point of law and dismiss the Federation’s action, since, under German procedural law, standing to bring proceedings must endure until the proceedings at last instance have been concluded. |
36. |
In the light of those considerations, the Bundesgerichtshof (Federal Court of Justice) decided to stay the proceedings and to refer the following question to the Court of Justice for a preliminary ruling: ‘Do the rules in Chapter VIII, in particular in Article 80(1) and (2) and Article 84(1), of Regulation (EU) 2016/679 preclude national rules which – alongside the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the Regulation and the options for legal redress for data subjects – empower, on the one hand, competitors and, on the other, associations, entities and chambers entitled under national law, to bring proceedings for breaches of Regulation (EU) 2016/679, independently of the infringement of specific rights of individual data subjects and without being mandated to do so by a data subject, against the infringer before the civil courts on the basis of the prohibition of unfair commercial practices or breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions?’ |
37. |
The Federation, Facebook Ireland, the Austrian and Portuguese Governments and the Commission have lodged written observations. Those parties – with the exception of the Portuguese Government – as well as the German Government submitted their oral observations at the hearing on 23 September 2021. |
IV. Analysis
38. |
By its question, the referring court is asking, in essence, whether Regulation 2016/679, and in particular Article 80(2) of that regulation, must be interpreted as precluding national legislation which allows consumer protection associations to bring proceedings against the person alleged to be responsible for an infringement of the protection of personal data, by relying on the prohibition of unfair commercial practices, infringement of a consumer protection law or the prohibition of the use of invalid general terms and conditions. |
39. |
According to Article 4(1) of Regulation 2016/679, a ‘data subject’, for the purposes of that regulation, is ‘an identified or identifiable natural person’. When such a person considers that his or her personal data have been processed in a manner contrary to the provisions of that regulation, he or she has a number of means of action available. |
40. |
Thus, a data subject is to have the right, under Article 77 of that regulation, to lodge a complaint with a supervisory authority. Under Article 78 of Regulation 2016/679, moreover, that person is to have the right to an effective judicial remedy against a supervisory authority. In addition, Article 79(1) of that regulation confers on each data subject the right to an effective judicial remedy where he or she considers that his or her rights under that regulation have been infringed as a result of the processing of his or her personal data in non-compliance with that regulation. |
41. |
Data subjects may of course themselves lodge a complaint with a supervisory authority or indeed exercise the judicial remedies described above. Nonetheless, Article 80 of Regulation 2016/679 provides, on certain conditions, that those data subjects may be represented by a not-for-profit body, organisation or association. In addition to individual actions, EU law thus provides for various possibilities of representative actions conducted via entities entrusted with representing data subjects. ( 10 ) Article 80 of Regulation 2016/679 therefore forms part of the tendency to develop the representative actions brought by those entities with the aim of protecting general or collective interests as a means of strengthening access to justice by those affected by an infringement of the rules in question. ( 11 ) |
42. |
Article 80 of Regulation 2016/679, entitled ‘Representation of data subjects’, consists of two paragraphs. The first covers the situation in which a data subject gives a mandate to a body, organisation or association to represent him or her. The second relates to the representative action brought by an entity independently of any mandate conferred by a data subject. |
43. |
In so far as the action brought by the Federation does not rely on the mandate of a data subject, it is Article 80(2) of Regulation 2016/679 that is relevant in the present reference for a preliminary ruling. |
A. The judgment in Fashion ID
44. |
In its judgment in Fashion ID, the Court ruled, in relation to Directive 95/46, on a question similar to that submitted in the present reference for a preliminary ruling. It thus ruled that ‘Articles 22 to 24 [of that directive] must be interpreted as not precluding national legislation which allows consumer-protection associations to bring … legal proceedings against a person allegedly responsible for an infringement of the protection of personal data’. ( 12 ) |
45. |
In order to arrive at that conclusion, the Court began by asserting that no provision of Directive 95/46 obliged Member States to provide in their national law that an association can represent a data subject in legal proceedings or commence legal proceedings on its own initiative against the person allegedly responsible for an infringement of laws protecting personal data. ( 13 ) According to the Court, it nevertheless did not follow that that directive precluded national legislation that allowed consumer protection associations to bring legal proceedings against the person alleged to be responsible for such an infringement. ( 14 ) In that regard, the Court highlighted the characteristics peculiar to a directive and the obligation of the Member States to which a directive is addressed to adopt all the measures necessary to ensure that the directive concerned is fully effective in accordance with the objective which it seeks to attain. ( 15 ) |
46. |
The Court then pointed out that the objectives of Directive 95/46 were to ‘ensure effective and complete protection of the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data’ and to ‘ensure a high level of protection in the European Union’. ( 16 ) According to the Court, the fact that a Member State provided in its national legislation that it was possible for a consumer protection association to commence legal proceedings against a person alleged to be responsible for an infringement of the laws protecting personal data contributed to the realisation of those objectives. ( 17 ) The Court emphasised, moreover, that ‘in many respects, Member States have a margin of discretion in implementing [Directive 95/46]’, ( 18 ) in particular in the case of Articles 22 and 24, which ‘are worded in general terms and do not amount to an exhaustive harmonisation of the national provisions stipulating the judicial remedies that can be brought against a person allegedly responsible for an infringement of the laws protecting personal data’. ( 19 ) Thus, ‘a provision making it possible for a consumer-protection association to commence legal proceedings against a person who is allegedly responsible for an infringement of the laws protecting personal data may constitute a suitable measure, within the meaning of [Article 24 of that directive], that contributes … to the realisation of the objectives of that directive, in accordance with the Court’s case-law’. ( 20 ) |
47. |
The present reference for a preliminary ruling asks the Court to decide whether what was permissible under Directive 95/46 should now be prohibited following the entry into force of Regulation 2016/679. In other words, does Article 80(2) of that regulation have the legal effect of removing a consumer protection association’s standing to bring proceedings in an action such as that at issue in the main proceedings? |
48. |
It is already permissible to doubt that that is so solely on reading paragraph 62 of the judgment in Fashion ID, where the Court observed that the fact that Regulation 2016/679 ‘expressly authorises, in Article 80(2) thereof, Member States to allow consumer-protection associations to bring … legal proceedings against a person who is allegedly responsible for an infringement of the laws protecting personal data does not mean that Member States could not grant them that right under Directive 95/46, but confirms, rather, that the interpretation of that directive in the present judgment reflects the will of the EU legislature’. ( 21 ) |
49. |
For the reasons which I shall now set out, I consider that neither the fact that Directive 95/46 has been replaced by a regulation nor the fact that Regulation 2016/679 now devotes one article to the representation of data subjects in legal proceedings are capable of calling in question what the Court decided in its judgment in Fashion ID, namely that Member States may provide in their national legislation for consumer protection associations to bring proceedings against a person who is allegedly responsible for an infringement of the laws protecting personal data. |
B. The particular characteristics of Regulation 2016/679
50. |
As regards the fact that Directive 95/46 has been replaced by a different type of instrument, namely Regulation 2016/679, it should be observed that the EU legislature’s decision to employ the legal form of a regulation, which, pursuant to Article 288 TFEU, is to be binding in its entirety and directly applicable in all Member States, is explained by its desire, expressed in recital 13 of Regulation 2016/679, to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market. That regulation therefore seems, at first sight, to tend towards full harmonisation – rather than merely establishing minimum standards which the Member States may enhance and leaving to those States the choice of derogating from, supplementing or implementing its provisions – so that the simultaneous and uniform application in the European Union of the provisions of that regulation is not jeopardised. |
51. |
The truth is more complex. In fact, the legal basis of Regulation 2016/679, namely Article 16 TFEU, ( 22 ) precludes the view that in adopting that regulation the European Union would have pre-empted all the ramifications which the protection of personal data may have in other areas relating, in particular, to employment law, competition law or even consumer law, by depriving Member States of the possibility of adopting specific rules in those areas, more or less independently, depending on whether the area in question is governed by EU law. ( 23 ) In that sense, although the protection of personal data is by nature cross-sectoral, the harmonisation implemented by Regulation 2016/679 is limited to the aspects specifically covered by that regulation in that area. Apart from those aspects, the Member States remain free to legislate, provided that they do not undermine the content and the objectives of that regulation. |
52. |
Furthermore, a detailed examination of the provisions of Regulation 2016/679 reveals that the extent of the harmonisation brought about by that regulation varies according to the provisions under consideration. Determining the normative scope of that regulation therefore requires a case-by-case examination. ( 24 ) While it may be considered, in line with the case-law relating to Directive 95/46, ( 25 ) that Regulation 2016/679 brings about a harmonisation which is ‘generally complete’, several provisions of that regulation, however, allow the Member States a margin for manoeuvre which must or may, depending on the case, be used by them in the conditions and within the limits laid down in those provisions. ( 26 ) |
53. |
It should be borne in mind that, according to the Court’s settled case-law, ‘pursuant to Article 288 TFEU and by virtue of the very nature of regulations and of their function in the system of sources of EU law, the provisions of those regulations generally have immediate effect in the national legal systems without its being necessary for the national authorities to adopt measures of application. Nonetheless, some of those provisions may necessitate, for their implementation, the adoption of measures of application by the Member States’. ( 27 ) The use of a regulation does not necessarily mean that no scope for action is left to those concerned by the provisions of that regulation. ( 28 ) Furthermore, the mandatory and directly applicable nature of a regulation does not preclude an act of that nature from containing optional rules. ( 29 ) |
54. |
Article 80(2) of Regulation 2016/679 constitutes, by virtue of the use of the word ‘may’, an example of an optional provision that gives the Member States a margin of discretion when they implement it. |
55. |
That provision is one of the numerous ‘opening clauses’ in that regulation, which give it its distinctiveness by comparison with a traditional regulation and cause it to resemble a directive. ( 30 ) The references to national law in those clauses may be binding, ( 31 ) but most frequently constitute an option left to the Member States. ( 32 ) It has been observed that these numerous references to national laws entail the risk of a new fragmentation of the arrangements for the protection of personal data within the European Union, running counter to the EU legislature’s expressed desire to achieve greater uniformity in those arrangements and being capable of having negative effects on the effectiveness of that protection, and likewise on the ease with which controllers and processors are able to understand their obligations. ( 33 ) The scope of the harmonisation brought about by Regulation 2016/679 is thus limited by the many ‘opening clauses’ in that regulation. |
56. |
It is clear that, by comparison with the situation when Directive 95/46 was applicable, the EU legislature wished, with Regulation 2016/679, to regulate more broadly and more specifically at EU level the aspects relating to the representation of data subjects for the purpose of lodging a complaint before a supervisory authority or indeed bringing judicial proceedings. ( 34 ) However, paragraphs 1 and 2 of Article 80 of that regulation do not have the same normative scope. While paragraph 1 of that article is binding on Member States, ( 35 ) paragraph 2 merely provides them with an option. Thus, in order for it to be possible to proceed with the representative action without a mandate provided for in Article 80(2) of that regulation, Member States must make use of the option made available to them by that provision to provide in their national law for that mode of representation of data subjects. |
57. |
Article 80(2) of Regulation 2016/679 cannot be considered – if only because of its optional nature and the potential disparities between national laws which that entails – to have brought about complete harmonisation with respect to representative actions without a mandate in relation to the protection of personal data. However, when they implement that provision in their national law, Member States must observe the conditions and limits within which the EU legislature wished to confine the exercise of the possibility provided for in that provision. |
58. |
Although those limits are applied more precisely by comparison with the situation when Directive 95/46 was in force, the Member States nonetheless retain a margin of discretion when they implement Article 80(2) of Regulation 2016/679. |
59. |
It is apparent from the material available to the Court that, following the entry into force of that regulation, the German legislature did not adopt any provision specifically intended to implement Article 80(2) of that regulation in its national law. That being so, it is necessary to examine, as the referring court asks the Court to do, whether the pre-existing rules of German law which confer on a consumer protection association standing to bring proceedings for an injunction against conduct that constitutes an infringement of provisions of Regulation 2016/679 and at the same time of rules intended, in particular, to protect consumers are compatible with that provision. In other words, is the national law that existed prior to the entry into force of that regulation consistent with what is permitted by Article 80(2) of that regulation? |
60. |
As the German Government explained at the hearing, the national provisions that authorise an association like the Federation to bring a representative action such as that at issue in the main proceedings are measures adopted in order to transpose Directive 2009/22. In order to answer the question whether Article 80(2) of Regulation 2016/679 also authorises such an action, and therefore whether those national provisions come within the scope of the margin of discretion allowed to each Member State, ( 36 ) it is appropriate to interpret that article taking account, in particular, of its wording and also of the structure and the objectives of that regulation. |
C. The literal, systematic and teleological interpretation of Article 80(2) of Regulation 2016/679
61. |
In the words of Article 80(2) of Regulation 2016/679, the representative actions provided for therein may be brought by ‘any body, organisation or association referred to in paragraph 1’ of that article. Article 80(1) of that regulation refers to ‘a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data’. Such a definition cannot in my view be limited to entities whose sole and exclusive object is the protection of personal data, but extends to all entities which pursue an objective in the public interest that is connected with the protection of personal data. That applies to consumer protection associations, such as the Federation, which are led to bring actions for injunctions in respect of conduct which, while undermining the provisions of that regulation, also infringe the rules on consumer protection or the rules against unfair competition. ( 37 ) |
62. |
According to the wording of Article 80(2) of Regulation 2016/679, the representative action may be brought by an entity that satisfies the conditions referred to in paragraph 1 of that article if it ‘considers that the rights of a data subject under [that regulation] have been infringed as a result of the processing’. Contrary to what the referring court appears to suggest, I do not believe that that phrase should be interpreted restrictively, as meaning that, in order to be authorised to bring an action as provided for in Article 80(2) of Regulation 2016/679, an entity should identify in advance one or more persons actually affected by the processing in question. The drafting history of that regulation does not in any way suggest that that is the case. In addition, the actual definition of ‘data subject’, within the meaning of Article 4(1) of that regulation, that is to say, an‘identified or identifiable natural person’, ( 38 ) seems to me to be inconsistent with the requirement that the persons whose data are processed in a manner contrary to the provisions of Regulation 2016/679 should already be identified when a representative action is brought on the basis of Article 80(2) of that regulation. It follows logically that it cannot be required, under that provision, that an entity must allege the existence of specific cases relating to individually designated persons in order to be authorised to act in a way that is consistent with that provision. |
63. |
To my mind, all that is required in order to bring a representative action on the basis of Article 80(2) of Regulation 2016/679 is an allegation that personal data have been processed in a manner which is contrary to the provisions of that directive that are designed to protect individual rights and is therefore liable to affect the rights of identified or identifiable persons, without the standing of an entity to bring proceedings being subject to verification, in each individual case, of whether the rights of one or more specific persons have been infringed. ( 39 ) In short, such an action must be based on infringement of the rights which a natural person is able to derive from that regulation resulting from a processing of his or her personal data. The purpose of that action is not to protect an objective right, but to protect only the subjective rights which data subjects derive directly from Regulation 2016/679. ( 40 ) In other words, the opening clause in Article 80(2) of that regulation is intended to permit authorised entities to have a supervisory authority, or indeed a court, determine whether the controllers complied with the rules designed to protect data subjects that are laid down in that regulation. ( 41 ) From that aspect, in order for an entity to have standing to bring proceedings under that provision, it is sufficient for it to show that there has been an infringement of the provisions of Regulation 2016/679 designed to protect the subjective rights of data subjects. |
64. |
As the Commission observes, in essence, an interpretation of Article 80(2) of Regulation 2016/679 according to which, in order to bring a representative action without a mandate, an entity would have to demonstrate or prove that a specific person’s rights had been harmed in a given situation, would be excessively restrictive of the scope of that provision. Like the Portuguese Government and the Commission, I consider that Article 80(2) of that regulation should be given an interpretation that maintains its effectiveness by reference to paragraph 1 of that article. Consequently, Article 80(2) of that regulation should, in my view, be interpreted as going beyond the representation of individual cases, which is the purpose of paragraph 1 of that article, by providing a possibility of representation, at the initiative of the authorised entities, and independently, of the collective interests of those whose personal data have been processed in a manner contrary to Regulation 2016/679. The effectiveness of Article 80(2) of that regulation would be significantly reduced if it were necessary to consider that, as is required in paragraph 1 of that article, an entity’s action was limited in both cases to the representation of persons individually designated by name. |
65. |
The interpretation of Article 80(2) of Regulation 2016/679 which I propose is also consistent with the deterrent nature and dissuasive purpose of actions for injunctions, together with their independence of any particular dispute. ( 42 ) |
66. |
In order to avoid the risk of creating two different standards concerning the standing to bring proceedings of the entities authorised to bring an action for an injunction, depending on whether such an action is based on a national measure that comes within the scope of Article 80(2) of Regulation 2016/679 or on a measure that comes within the scope of Directive 2020/1828, it seems appropriate to me, even though that directive is not applicable in the context of the dispute in the main proceedings, to take account of the fact that that directive does not require that such entities invoke the existence of individual consumers designated by name as having been affected by the infringement at issue, ( 43 ) but that they invoke the existence of infringements by traders of the provisions of EU law referred to in Annex I to that directive, ( 44 ) which, moreover, mentions, in point 56, Regulation 2016/679. |
67. |
The argument in favour of a restrictive interpretation of Article 80(2) of Regulation 2016/679 precludes, wrongly in my view, the defence of the collective interests of consumers ( 45 ) and the protection of the rights of each person who is alleged to have been treated in a manner contrary to that regulation. In fact, the defence of the collective interests of consumers does not in my view preclude the protection of the subjective rights which data subjects derive directly from Regulation 2016/679, but, on the contrary, it incorporates such protection. |
68. |
Furthermore, I perceive, in the assertion in recital 15 of Directive 2020/1828 that ‘the enforcement mechanisms provided for in or based on Regulation … 2016/679 … could, where applicable, still be used for the protection of the collective interests of consumers’, ( 46 ) confirmation that the representative action provided for in Article 80(2) of that regulation is indeed capable of covering the protection of such interests. |
69. |
I infer from the foregoing elements that Article 80(2) of Regulation 2016/679, to my mind, authorises the Member States to provide for the possibility for authorised entities to bring, without a mandate from the data subjects, representative actions designed to protect the collective interests of consumers, provided that an infringement of the provisions of that regulation which are intended to confer subjective rights on data subjects is alleged. |
70. |
That is indeed the case of the action for an injunction brought by the Federation against Facebook Ireland. |
71. |
In fact, I recall that, according to the referring court and in accordance with the Federation’s submissions, Facebook Ireland did not comply with its duty under the first sentence of Article 12(1) of Regulation 2016/679 to provide the data subject, in a concise, transparent, intelligible and easily accessible form, using clear and plain language, the information referred to in Article 13(1)(c) and (e) of that regulation, which relates to the purposes of the processing of the data and to the recipient of the personal data. Those provisions certainly belong to the category of those that confer subjective rights on data subjects, which is confirmed, in particular, by the fact that they appear in Chapter III of that regulation, entitled ‘Rights of the data subject’. Accordingly, the protection of those rights may be claimed either directly by the data subjects or by an entity authorised under Article 80(1) of Regulation 2016/679 or indeed under national provisions implementing Article 80(2) of that regulation. |
72. |
I also consider that Article 80(2) of Regulation 2016/679 does not preclude national provisions which authorise a consumer protection association to bring an action for an injunction in order to ensure compliance with the rights conferred by that directive by means of rules designed to protect consumers or to combat unfair commercial practices. Such rules may contain provisions similar to those contained in that regulation, in particular with regard to providing information to data subjects about the processing of their personal data, ( 47 ) which means that the infringement of a rule relating to the protection of personal data may at the same time entail the infringement of rules relating to consumer protection or unfair commercial practices. There is nothing in the wording of Article 80(2) of Regulation 2016/679 to prevent the partial implementation of that opening clause from meaning that the representative action aims to protect, in their capacity as consumers, the rights which data subjects derive from that regulation. ( 48 ) |
73. |
The interpretation of Article 80(2) of Regulation 2016/679 thus proposed is to my mind the one best able to achieve the objectives pursued by that regulation. |
74. |
In that regard, the Court has observed that, ‘as is clear from its Article 1(2), read together with recitals 10, 11 and 13 thereof, Regulation 2016/679 requires the European Union institutions, bodies, offices and agencies, and the competent authorities of the Member States, to ensure a high level of protection of the rights guaranteed in Article 16 TFEU and Article 8 of the Charter [of Fundamental Rights of the European Union]’. ( 49 ) Furthermore, the aim pursued by that regulation is ‘to ensure effective protection of the freedoms and fundamental rights of individuals, in particular, their right to protection of privacy and the protection of personal data’. ( 50 ) |
75. |
It would be contrary to the objective of ensuring a high level of protection of personal data if the Member States were precluded from putting in place actions which, while pursuing an objective of protecting consumers, also help to achieve the objective of protecting personal data. As was the case for Directive 95/46, it may again be asserted, following the entry into force of Regulation 2016/679, that authorising consumer protection associations to have processing contrary to the provisions of that directive brought to an end contributes to strengthening the rights of data subjects through the means of collective redress. ( 51 ) |
76. |
Thus, the defence of the collective interests of consumers by associations is particularly suited to the objective of establishing a high level of protection of personal data. To this end, the preventive function of actions brought by those associations could not be guaranteed if the representative action provided for in Article 80(2) of Regulation 2016/679 allowed only the infringement of the rights of a person individually and specifically affected by that infringement to be invoked. |
77. |
An injunctive action brought by a consumer protection association, such as the Federation, therefore indisputably contributes to ensuring the effective application of the rights protected by Regulation 2016/679. ( 52 ) |
78. |
Furthermore, it would be paradoxical, to say the least, if the strengthening of the means of supervising the rules on the protection of personal data which the EU legislature wished to introduce when it adopted Regulation 2016/679 should ultimately lead to a reduction of the level of protection of personal data by comparison with that which the Member States were able to ensure under Directive 95/46. |
79. |
It is true that, unlike the position in the United States of America, in EU law the regulations relating to unfair commercial practices and those relating to the protection of personal data have developed separately. The two areas are thus the subject of different regulatory frameworks. |
80. |
Nonetheless, there is some interaction between the two areas, so that actions falling within the framework of the regulations relating to the protection of personal data may, at the same time and indirectly, contribute to putting an end to an unfair commercial practice. The opposite is also true. ( 53 ) Incidentally, a connection between the protection of personal data, from the aspect of consent to the processing of those data, and consumer protection is expressed in Regulation 2016/679 itself, in particular in recital 42. Furthermore, the Commission has highlighted the interaction between the EU regulations on the protection of personal data and Directive 2005/29/EC. ( 54 ) |
81. |
Instances of the interaction between the law relating to the protection of personal data, consumer law and competition law are frequent and numerous, since the same conduct may be covered simultaneously by legal rules belonging to those different areas. Such actions contribute to making the protection of personal data more effective. ( 55 ) |
82. |
Admittedly, the beneficiaries of the rights provided for in Regulation 2016/679 are not limited to the category of consumers, as that regulation is not based on a consumerist concept of the protection of natural persons in relation to the processing of personal data, ( 56 ) but on the concept that that protection is, in accordance with Article 8 of the Charter of Fundamental Rights, and as stated in particular in recital 1 and Article 1(2) of that regulation, a fundamental right. ( 57 ) |
83. |
The fact nonetheless remains that, in the age of the digital economy, data subjects often have the capacity of consumers. It is for that reason that the rules designed to protect consumers are often relied on to ensure that consumers are protected against a processing of their personal data that is contrary to the provisions of Regulation 2016/679. |
84. |
Following that analysis, it must be stated that there may be an overlap between the representative action provided for in Article 80(2) of Regulation 2016/679 and that provided for in Directive 2020/1828 in order to obtain injunctive relief when ‘data subjects’, within the meaning of that regulation, also have the capacity of ‘consumer’, within the meaning of Article 3(1) of that directive. ( 58 ) I see there the sign of complementarity and convergence of the law relating to the protection of personal data with other areas of law, such as consumer law and competition law. With the adoption of that directive, the EU legislature went even further and expressly linked the protection of the collective interests of consumers with compliance with Regulation 2016/679. The effective application of the rules contained in that regulation cannot but be strengthened as a result. |
V. Conclusion
85. |
In the light of all of the foregoing considerations, I propose that the question for a preliminary ruling referred by the Bundesgerichtshof (Federal Court of Justice, Germany) be answered as follows: Article 80(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that it does not preclude national legislation which allows consumer protection associations to bring legal proceedings against the person alleged to be responsible for an infringement of the protection of personal data, on the basis of the prohibition of unfair commercial practices, the infringement of a law relating to consumer protection or the prohibition of the use of invalid general terms and conditions, provided that the objective of the representative action in question is to ensure observance of the rights which the persons affected by the contested processing derive directly from that regulation. |
( 1 ) Original language: French.
( 2 ) Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1).
( 3 ) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).
( 4 ) See judgment of 29 July 2019, Fashion ID (C‑40/17, EU:C:2019:629; ‘judgment in Fashion ID’).
( 5 ) See also recital 142 of that regulation.
( 6 ) BGBl. 2004 I, p. 1414; ‘the UWG’.
( 7 ) BGBl. 2001 I, p. 3138, 3173; ‘the UKlaG’.
( 8 ) OJ 2009 L 110, p. 30.
( 9 ) BGBl. 2007 I, p. 179; ‘the TMG’.
( 10 ) The representation of data subjects is also provided for in Article 67 of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ 2018 L 295, p. 39), and in Article 55 of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ 2016 L 119, p. 89). Representation in both cases requires a mandate.
( 11 ) This tendency, given concrete form in particular by Directive 2009/22, was reflected in the recent adoption of Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC (OJ 2020 L 409, p. 1). The deadline for the transposition of the latter directive is set at 25 December 2022. See, on that subject, Pato, A., ‘Collective Redress Mechanisms in the EU’, Jurisdiction and Cross-Border Collective Redress: A European Private International Law Perspective, Bloomsbury Publishing, London, 2019, pp. 45-117. See also Gsell, B., ‘The New European Directive on Representative Actions for the Collective Interests of Consumers – A Huge, but Blurry Step Forward’, Common Market Law Review, vol. 58, Issue 5, Kluwer Law International, Alphen aan den Rijn, 2021, pp. 1365-1400.
( 12 ) See judgment in Fashion ID (paragraph 63 and the operative part).
( 13 ) See judgment in Fashion ID (paragraph 47).
( 14 ) See judgment in Fashion ID (paragraph 48).
( 15 ) See judgment in Fashion ID (paragraph 49).
( 16 ) See judgment in Fashion ID (paragraph 50).
( 17 ) See judgment in Fashion ID (paragraph 51).
( 18 ) See judgment in Fashion ID (paragraph 56 and the case-law cited).
( 19 ) See judgment in Fashion ID (paragraph 57 and the case-law cited).
( 20 ) See judgment in Fashion ID (paragraph 59).
( 21 ) Emphasis added.
( 22 ) As the Court pointed out in its judgment of 15 June 2021, Facebook Ireland and Others (C‑645/19, EU:C:2021:483, paragraph 44).
( 23 ) It follows from the preamble to Regulation 2016/679 that that regulation was adopted on the basis of Article 16 TFEU, paragraph 2 of which provides, in particular, that the European Parliament and the Council, acting in accordance with the ordinary legislative procedure, are to lay down the rules relating, first, to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and, second, to the free movement of such data.
( 24 ) Determining the extent of the harmonisation implemented by a measure such as Regulation 2016/679 therefore entails carrying out a ‘microanalysis, looking at a specific rule or at best, a specific and well-defined aspect of EU law’: see Opinion of Advocate General Bobek in Dzivev and Others (C‑310/16, EU:C:2018:623, point 74). See also Mišćenić, E. and Hoffmann, A.‑L., ‘The Role of Opening Clauses in Harmonisation of EU Law: Example of the EU’s General Data Protection Regulation (GDPR)’, EU and Comparative Law Issues and Challenges Series (ECLIC), Josip Juraj Strossmayer University of Osijek, Faculty of Law Osijek, Osijek, 2020, Issue 4, pp. 44-61, who observe that ‘it is … possible for a harmonisation measure, either EU directive or regulation, to have a full harmonisation effect with respect to certain provisions, but not all of them’ (p. 49).
( 25 ) See judgment of 6 November 2003, Lindqvist (C‑101/01, EU:C:2003:596, paragraph 96).
( 26 ) See, with respect to Directive 95/46, judgment of 6 November 2003, Lindqvist (C‑101/01, EU:C:2003:596, paragraph 97). Contrary to certain received notions, the EU legislature’s decision to employ a regulation rather than a directive is not necessarily reflected in full harmonisation in the relevant area. See Mišćenić, E. and Hoffmann, A.‑L., op. cit., who state that ‘an EU directive can lead to a more intensive harmonisation if it has a fully harmonising effect, … while an EU regulation can result in a weak degree of harmonisation, if it contains many options or derogation rules’ (p. 48).
( 27 ) See, in particular, judgment of 15 June 2021, Facebook Ireland and Others (C‑645/19, EU:C:2021:483, paragraph 110 and the case-law cited). See also, concerning an area that was previously the subject of a directive, judgment of 21 December 2011, Danske Svineproducenter (C‑316/10, EU:C:2011:863, paragraph 42), where the Court made clear that ‘the fact that the European Union legislation on the protection of animals during transport is now set out in a regulation does not necessarily mean that all national measures for the application of that legislation are now prohibited’.
( 28 ) See judgment of 27 October 1971, Rheinmühlen Düsseldorf (6/71, EU:C:1971:100).
( 29 ) Thus, the Court has accepted that a Member State which has chosen not to exercise an option offered by a regulation does not infringe Article 288 TFEU; see judgment of 17 December 2015, Imtech Marine Belgium (C‑300/14, EU:C:2015:825, paragraphs 27 to 31). See also, for a regulation putting in place export refunds that Member States may grant or refuse to grant, judgment of 27 October 1971, Rheinmühlen Düsseldorf (6/71, EU:C:1971:100).
( 30 ) See, on these opening clauses, Wagner, J. and Benecke, A., ‘National Legislation within the Framework of the GDPR, Limits and Opportunities of Member State Data Protection Law’, European Data Protection Law Review, Lexxion, Berlin, vol. 2, Issue 3, 2016, pp. 353-361.
( 31 ) See, in particular, Articles 51 and 84 of Regulation 2016/679.
( 32 ) See, in particular, Article 6(2) and (3), the second subparagraph of Article 8(1) and Articles 85 to 89 of Regulation 2016/679.
( 33 ) See, on that topic, Mišćenić, E., and Hoffmann, A.‑L., op. cit., who observed that ‘despite the initial idea of achieving a high level of harmonisation by introducing uniform rules for all Member States by means of an EU regulation, … the GDPR allows diverging solutions in many of its aspects. In doing so, it creates further inconsistencies between the legal solutions at the level of Member States, thereby contributing to legal uncertainty for those affected by its rules. More than 69 opening clauses … open up space for different legal solutions, interpretations, and, eventually, application in practice. Opening clauses also affect the legal nature and level of harmonisation of the GDPR, which is very often described by legal scholars as a directive wearing the suit of a regulation’ (pp. 50 and 51).
( 34 ) Directive 95/46 provided only, in Article 28(4), for the possibility for an association to assume responsibility for lodging a complaint with a supervisory authority on behalf of a person complaining of an infringement of his or her rights in the processing of personal data.
( 35 ) Apart from a representative action with a mandate in order to receive compensation on behalf of the data subjects, however, which remains optional for Member States.
( 36 ) See, by analogy, judgment of 21 December 2011, Danske Svineproducenter (C‑316/10, EU:C:2011:863, paragraph 43).
( 37 ) See Pato, A., ‘The National Adaptation of Article 80 GDPR: Towards the Effective Private Enforcement of Collective Data Protection Rights’, National Adaptations of the GDPR, Blogdroiteuropeen, Collection Open Access Book, Luxembourg, 2019, pp. 98-106. According to that author, ‘the number of actors who potentially have standing to sue is broad’ and ‘consumer associations will usually meet those requirements easily’ (p. 99).
( 38 ) Emphasis added. According to that provision, ‘an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’. As is observed in Martial-Braz, N., ‘Le champ d’application du RGPD’, in Bensamoun, A. and Bertrand, B., Le règlement général sur la protection des données, Aspects institutionnels et matériels, Mare et Martin, Paris, 2020, pp. 19-33, ‘the identifiable nature is very broad, since the criterion for the identification of the person extends to all the means that might reasonably be employed to identify the person’ (p. 24). See, in particular, on the concept of ‘identifiable person’, within the meaning of Article 2(a) of Directive 95/46, judgment of 19 October 2016, Breyer (C‑582/14, EU:C:2016:779).
( 39 ) See Boehm, F., ‘Artikel 80 Vertretung von betroffenen Personen’, in Simitis, S., Hornung, G. and Spiecker Döhmann, I., Datenschutzrecht, DSGVO mit BDSG, Nomos, Baden-Baden, 2019, in particular paragraph 13.
( 40 ) See Frenzel, E.M., ‘Art. 80 Vertretung von betroffenen Personen’, in Paal, B.P. and Pauly, D.A., Datenschutz-Grundverordnung, Bundesdatenschutzgesetz, 3rd ed., C.H. Beck, Munich, 2021, in particular paragraph 11, and Kreße, B., ‘Artikel 80 Vertretung von betroffenen Personen’, in Sydow, G., Europäische Datenschutzverordnung, 2nd ed., Nomos, Baden-Baden, 2018, in particular paragraph 13.
( 41 ) See Moos, F. and Schefzig, J., ‘Art. 80 Vertretung von betroffenen Personen’, in Taeger, J. and Gabel, D., Kommentar DSGVO – BDSG, 3rd ed., Deutscher Fachverlag, Frankfurt am Main, 2019, in particular paragraph 22.
( 42 ) See, in particular, concerning unfair terms in contracts between sellers or suppliers and consumers, judgment of 14 April 2016, Sales Sinués and Drame Ba (C‑381/14 and C‑385/14, EU:C:2016:252, paragraph 29).
( 43 ) See recital 33 and also Article 8(3)(a) of Directive 2020/1828, which provides that ‘the qualified entity shall not be required to prove … actual loss or damage on the part of the individual consumers affected by the infringement as referred to in Article 2(1)’. Furthermore, although Article 7(2) of that directive requires the qualified entity to provide the court or administrative authority with ‘sufficient information about the consumers concerned by the representative action’, it follows from recital 34 of that directive that that information, the level of detail of which may differ depending on the measure that the qualified entity is seeking, does not cover the designation of individual consumers affected by the infringement in question, but rather information such as the place where the harmful event occurred or indeed information about the group of consumers concerned by the representative action (see also recital 65 of Directive 2020/1828). I note, moreover, that even where the representative action seeks to obtain redress measures, recital 49 of Directive 2020/1828 states that ‘the qualified entity should not be required to individually identify every consumer concerned by the representative action in order to initiate the representative action’. See, on that topic, Gsell, B., op. cit., in particular p. 1370.
( 44 ) See Article 2(1) of Directive 2020/1828.
( 45 ) See recital 3 of Directive 2009/22, which states that the injunctions coming within the scope of that directive aim to protect the ‘collective interests of consumers’. Those interests are defined as ‘interests which do not include the cumulation of interests of individuals who have been harmed by an infringement’. In Article 3(3) of Directive 2020/1828, ‘collective interests of consumers’ is defined as ‘the general interest of consumers and, in particular for the purposes of redress measures, the interests of a group of consumers’.
( 46 ) Emphasis added.
( 47 ) See Helberger, N., Zuiderveen Borgesius, F. and Reyna, A., ‘The Perfect Match? A Closer Look at the Relationship Between EU Consumer Law and Data Protection Law’, Common Market Law Review, vol. 54, Issue 5, Kluwer Law International, Alphen aan der Rijn, 2017, pp. 1427-1465, who observe that ‘one feature that unites consumer law and data protection law is the pivotal role of information as a means to mitigate information asymmetries and to empower the individual’ (p. 1437).
( 48 ) See Neun, A. and Lubitzsch, K., ‘Die neue EU-Datenschutz-Grundverordnung – Rechtsschutz und Schadensersatz’, Betriebs-Berater, Deutscher Fachverlag, Frankfurt am Main, 2017, pp. 2563-2569, in particular p. 2567.
( 49 ) See judgment of 15 June 2021, Facebook Ireland and Others (C‑645/19, EU:C:2021:483, paragraph 45).
( 50 ) See judgment of 15 June 2021, Facebook Ireland and Others (C‑645/19, EU:C:2021:483, paragraph 91).
( 51 ) See Opinion of Advocate General Bobek in Fashion ID (C‑40/17, EU:C:2018:1039, point 33).
( 52 ) For examples of actions brought by consumer protection associations, see Helberger, N., Zuiderveen Borgesius, F. and Reyna, A., op. cit., in particular pp. 1452 and 1453.
( 53 ) See, on the complementarity between actions for the protection of personal data and injunctions against unfair commercial practices, van Eijk, N., Hoofnagle, C.J. and Kannekens, E., ‘Unfair Commercial Practices: A Complementary Approach to Privacy Protection’, European Data Protection Law Review, Lexxion, Berlin, vol. 3, Issue 3, 2017, pp. 325-337, who state that ‘through applying rules on unfair commercial practices, the enforcement of privacy issues could become more effective’ (p. 336).
( 54 ) Directive of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (‘Unfair Commercial Practices Directive’) (OJ 2005 L 149, p. 22). See Commission Staff Working Document – Guidance on the implementation/application of Directive 2005/29/EC on Unfair Commercial Practices accompanying the document Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions – A comprehensive approach to stimulating cross-border e-Commerce for Europe’s citizens and businesses (SWD(2016) 163 final), in particular section 1.4.10, pp. 22 to 25. In that document, the Commission emphasises the need for fair processing, which means that the data subject should be given relevant information, relating in particular to the purposes of the processing of the personal data in question (p. 22). The Commission also states that ‘a trader’s violation of [Directive 95/46] or [Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ 2002 L 201, p. 37)] will not, in itself, always mean that the practice is also in breach of [Directive 2005/29]’. However, according to the Commission, ‘such data protection violations should be considered when assessing the overall unfairness of commercial practices under [Directive 2005/29], particularly in the situation where the trader processes consumer data in violation of data protection requirements, i.e. for direct marketing purposes or any other commercial purposes like profiling, personal pricing or big data applications’ (p. 24).
( 55 ) See, in particular, on that topic, Helberger, N., Zuiderveen Borgesius, F. and Reyna, A., op. cit., who state that ‘data protection law and consumer law could apply in parallel, and could ideally complement each other and offer a sufficiently diverse toolbox of rights and remedies to provide a high level of protection of consumers in digital markets’ (p. 1429). See also van Eijk, N., Hoofnagle, C.J. and Kannekens, E., op. cit., in particular p. 336. For an illustration of the complementarity between the rules on the protection of personal data in the electronic communications sector and the rules prohibiting unfair commercial practices by undertakings vis-à-vis consumers, see my Opinion in StWL Städtische Werke Lauf a.d. Pegnitz (C‑102/20, EU:C:2021:518).
( 56 ) See Martial-Braz, N., op. cit., in particular p. 23.
( 57 ) See judgment of 15 June 2021, Facebook Ireland and Others (C‑645/19, EU:C:2021:483, paragraph 44).
( 58 ) See recital 14 of Directive 2020/1828, which states that that directive ‘should only protect the interests of natural persons who have been harmed or may be harmed by [the infringements of EU law referred to in Annex I] if those persons are consumers under [that directive]’.