The Federal Court of Justice (“BGH”) has submitted to the Court of Justice of the European Union (“CJEU”) the question whether consumer protection associations or competitors are authorised to initiate a civil action in case of infringements of the General Data Protection Regulation (GDPR) (BGH, decision of 28 May 2020, Ref. I ZR 186/17). In this preliminary ruling procedure, the CJEU will have to decide whether, among other provisions, Art. 80 GDPR is in conflict with member state law which allows consumer protection associations and competitors to take action against infringements of the GDPR irrespective of the violation of subjective rights of individuals and without a mandate from the data subject.
The subject matter of the lawsuit is the information regarding the processing of personal data in the “App Center” on the internet platform Facebook of the defendant Facebook Ireland Limited. The claimant, the umbrella organization of the consumer protection associations of the German federal states, is of the opinion, among other things, that the information in the “App Center” does not comply with the legal requirements for obtaining an effective consent under data protection law and that this constitutes an unfair commercial practice. The claimant based his authority to initiate civil action on sec. 8(3)(3) in conjunction with sec. 3, 3a German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb, “UWG” (Breach of law) and on sec. 3(1)(1)(1) in conjunction with sec. 2(1), (2)(1)(11) German Act On Injunctive Relief (Unterlassungsklagengesetz, “UKlaG”) (unlawful processing of personal data).
Decision of the BGH
The BGH points out that the authorisation to initiate civil action of consumer protection associations in the case of infringements of data protection law is disputed in case law and in literature. On the one hand, it is argued that Art. 80 GDPR is conclusive and that the right to initiate an action is only given if all the requirements of Art. 80 GDPR are met. In the opinion of the BGH, this is not the case with regard to the above-mentioned provisions of the UWG and the UKlaG. The opposing view regards the provision as not conclusive, which is why it should in any case be possible for consumer protection associations to initiate civil action against GDPR infringements even without a mandate from the individual. The recent decision of the CJEU in the Fashion ID case (CJEU, judgment of 29 July 2019, case C-40/17) does not provide clarity with regard to the GDPR, as it only refers to the – since expired – Directive 95/46/EC.
Consequences and advice
It can be expected that the decision of the CJEU will remove considerable legal uncertainty with regard to the applicability and, if necessary, interpretation of the provisions of the UWG and UKlaG.
The CJEU will first have to decide whether and to what extent the relevant provisions of the UWG and UKlaG comply with Art. 80 GDPR. National law is in principle to be measured against the entire scope of such an opening clause. However, the provisions of the UWG and UKlaG do not coincide entirely with the scope of Art. 80 GDPR – the UWG only concerns market conduct provisions, the UKlaG only covers the processing operations listed in sec. 2(1)(2)(1)(11) UKlaG. This contradicts the legislative approach of achieving full harmonisation of the level of data protection throughout the EU – also with regard to enforcement – through the GDPR. A decision of the CJEU declaring the incompatibility would inevitably lead the German legislator to follow up in national law.
If the CJEU were to rule against the compatibility of the provisions with the GDPR, it would have to be further examined whether the provisions on remedies, liability and sanctions in Chapter VIII of the GDPR, in particular Art. 80(1) and (2) and Art. 84(1) GDPR, are conclusive or whether the Member States are allowed to pass legislation going beyond this.
If the CJEU answers one of the above questions in the affirmative, guidance as to the interpretation of the national provisions can be expected. It is in fact disputed whether data protection law can in principle constitute market conduct provisions within the meaning of the UWG. If this is the case, it is furthermore unclear which criteria are to be used to determine the market conduct regulating character of an individual provision.
The UKlaG currently only covers only provisions which regulate the lawfulness of the collection, processing and use of personal data of consumers by undertakings, for purposes of advertising, market and opinion research, the operation of a credit rating agency, the creation of personality and usage profiles, address trading, other data trading or for comparable commercial purposes. The CJEU could specify which provisions of the GDPR are affected. It is already clear that only those provisions which concern the actual processing of personal data and not those which contain other data protection obligations can be affected.
Until the CJEU reaches a decision, courts should suspend civil actions by consumer protection associations and competitors based on GDPR infringements within the scope of a proper exercise of discretion in corresponding application of § 148 German Code of Civil Procedure (Zivilprozessordnung, “ZPO”) (see BGH, Order of 11 April 2019, Ref. I ZR 186/17).
For more information, please contact Prof. Dr. Stefan Engels (Partner, Hamburg), Verena Grentzenberg (Partner, Hamburg), Yannick Zirnstein (Associate, Cologne) or Jan Spittka (Counsel, Cologne).