A ruling by the European Union's top court today is set to unblock a raft of litigation brought by consumer protection organizations seeking to apply the bloc's General Data Protection Regulation (GDPR) standard against tech giants such as Facebook and Twitter over issues like whether they gather properly informed consent to process people's data.
In a judgment today, the Court of Justice (CJEU) affirmed that consumer protection organizations can bring representative actions against infringements of the bloc's laws protecting people's data under GDPR.
The referral to the CJEU came from a German court in a case brought against Meta (Facebook) by the German Federal Union of Consumer Organisations and Associations (aka the vzbv) relating to the ToS of certain free games apps running on its platform which force consent from users by not providing them with an option to decline processing if they play the game.
In a brief response statement, a Meta spokesperson said: “The underlying legal proceedings showed that there were some open questions, which the CJEU has now addressed. We will review the decision and assess its implications.”
The CJEU ruling prefigures a wider change -- coming to EU next year, when the Representative Actions Directive come into application in June -- which will further expand the ability of consumer rights groups to litigate on behalf of individuals whose rights they believe are being violated.
"By today’s judgment, the Court finds that the GDPR does not preclude national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data, on the basis of the infringement of the prohibition of unfair commercial practices, a breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions, where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation," the court writes in a press release.
Tech giants have typically tried to derail these kinds of privacy suits by arguing national courts do not have jurisdiction under the GDPR -- which is intended to harmonize national legislation in this area. It also contains a mechanism (the one-stop-shop; OSS), which funnels cross-border GDPR complaints through a lead data protection agency in the EU Member State where each entity locates their regional HQ (for many most tech giants that means Ireland).
EU lawmakers included the OSS to simplify compliance for businesses. But its existence has supercharged the anti-consumer-rights practice of forum shopping -- whereby corporate giants flock together around 'friendly' regulators, piling on pressure at a political level -- say, by touting the local jobs and wealth their presence creates -- to encourage oversight that aligns with their commercial interests.
The tactic also effectively shrinks the resources of the regulator by piling on complex case work.
All these pressures can and have contributed to GDPR enforcement bottlenecks, delays in decisions and even investigations being dropped or never opened in the first place. And complaints over this recently led to an investigation being opened into the European Commission's monitoring of the GDPR's application by the EU's ombudsperson.
In Facebook's case, oversight by Ireland has led to the equivalent of a total freeze on enforcement -- as the service has not been hit with a single final GDPR decision since the regulation came into application in May 2018, despite myriad complaints (some of which now date back almost four years).
Ireland did finally produce a decision on a complaint against Facebook-owned WhatsApp last year. But scores more complaints continue to languish -- and only today the European privacy rights group, noyb, announced that the Irish Data Protection Commission (DPC) had settled with it over what it described as a "gross delay" in two cases related to Facebook-owned Instagram and WhatsApp which it also said will see Irish taxpayers footing a legal bill of several tens of thousands of euros.
"Forty-seven months after the filing of the cases on Facebook's 'consent bypass,' the DPC agreed to pay tens of thousands in costs for a Judicial Review over delays," noyb wrote in a press release. "While the GDPR requires a decision 'without delay' the DPC takes the view that four years for producing a draft decision is reasonable. In most EU Member States the law requires a decision within three to 12 months."
Noyb's press release offers an eye-tickling visual metaphor for forum shopping -- illustrating the latest painstaking development in the never-ending regulatory saga with a picture of a snail crawling over a pile of money. (In case it wasn't clear, the snail is Ireland's DPC; not pictured: Facebook holding everyone's data and laughing all the way to the bank.)
This embarrassing GDPR enforcement bottleneck continues to take the shine off the EU's flagship data protection regulation -- making it extremely hard for individuals to exercise their rights against the most powerful tech platforms.
That in turn means that any avenues which open up the possibility of more litigation against big tech -- and today's ruling is not the first such CJEU judgement -- are important to resetting the power imbalance between platform giants and individual web users. Although the pan-EU change coming next year -- via application of the Representative Actions Directive -- should unlock more actions as that legislation will not rely on the procedure in question existing at a national level.
Nonetheless, in a note on its website (which we've translate from German), the vzbv calls the CJEU decision a "landmark ruling," saying it means the Federal Court of Justice is "on the train again." The consumer group has spent years trying to litigate against Facebook in areas like unfair privacy settings, while Meta's lawyers have giving it the runaround, arguing against local courts having any jurisdiction to hear the challenges.
In the statement, Jutta Gurkmann, board member of the vzbv, added that today's CJEU ruling "puts an end to the tiresome debate about consumer associations' right to sue for data protection."
"It is an open secret that some European data protection authorities are not quite able to cope with the escalating data collection of the big technology companies," she also said, adding: "In the past, this enforcement deficit increasingly gnawed at the acceptance of the GDPR.
"Now it is clear: In addition to the supervisory authorities, civil society organizations such as the vzbv can also punish violations of the GDPR to a very large extent. The vzbv has been successfully and efficiently suing Meta, Google and Co. for a long time. Today's ECJ judgment creates legal certainty until the European Class Actions Directive to be implemented this year, which also contains such a power."
Also commenting on the CJEU ruling in a statement, Ursula Pachl, deputy director general of the European consumer organization, BEUC, welcomed it as "good news," while underscoring the importance of the looming June 2023 pan-EU directive.
“Today’s ruling is good news because it underlines that consumer groups can file collective claims against companies like Meta in case of a breach of the GDPR, as long as this procedure exists at national level. The GDPR is a crucial law that protects people’s personal data in the EU. It is essential that it is better enforced, and rulings like today’s will help," she said.
“As of next year, new EU rules will allow consumer groups to launch representative actions, which will further improve the situation. It will then be possible for consumer associations in all EU countries, as long as they meet certain criteria, to launch injunctions or collective redress claims against companies that break the law, including under the GDPR. A new era in enforcement by consumer groups will then begin.”