GDPR does not prevent consumer protection groups from taking legal action
Latest opinion of EU’s Advocate General (ECJ) could influence UK legal position on data privacy class actions.
UK class action regime
In the recent case of Lloyd v Google, Mr Lloyd sought to bring a representative claim under Civil Procedure Rules. Read more about this judgment in our article here. A major reason Mr Lloyd was unsuccessful was because he failed to reach the threshold of evidence required, namely that all those he represented held the ‘same interest’ in the claim. His reliance on the representative rule was because there is no ‘opt-out’ class action specific legislative regime in place in the UK relating to data protection matters. However, the latest preliminary ruling by the Advocate General (AG) of the ECJ leaves open the possibility that this could change in future.
The AG’s opinion relates to the case of Facebook Ireland Limited v Bundesverdand der Verbraucherzentralen und Verbraucherverbande – Verbraucherzentrale Bundesverband e.V (Federation of German Consumer Organisations), Dec 2021.
The Federal Court of Justice, Germany (BGH) asked the AG for an interpretation of the General Data Protection Regulation ((EU) 2016/679) (EU GDPR), to help determine whether the Federation had the standing to bring a court injunction against Facebook Ireland. The Federation alleged that Facebook Ireland had failed to provide fair processing information to individual users of free games via its apps centre. It also alleged that rules for consumer protection and preventing unfair competition had been breached.
In the AG’s opinion article 80 (2) of the EU GDPR does not preclude national legislation by a member state to allow consumer protection associations to bring legal proceedings against a person allegedly responsible for an infringement of the protection of personal data. According to the AG this is the position even where the action is raised independently of an actual infringement of an individual’s rights and without requiring a mandate from them (thus permitting action to be taken on an ‘opt-out’ basis).
The AG’s opinion is not binding on the European Court of Justice (ECJ). It is the role of the AG to propose legal solutions to the matters referred to him, independently of the ECJ. However, his opinion is influential on the ECJ which will now issue a judgment to the BGH.
If the ECJ concurs with the AG, their judgement could have implications for the UK data protection regime, since it continues largely to mirror EU law post-Brexit. It will also be of particular interest to organisations whose data processing operations fall within the scope of both the UK and EU versions of the GDPR. Until now the UK has chosen not to introduce a specific class action regime and the judgment in Lloyd v Google will potentially diminish the appetite for ‘opt-out’ class actions. Consumer rights campaigners and litigation funders have been left questioning whether English law provides a sufficient deterrent to organisations who break data protection laws, especially in cases where there are serious breaches of data protection law which result in only nominal damage to each individual. However, the stance taken by the ECJ could influence changes in the UK, with the potential for an equivalent to the ‘opt-out’ and ‘opt-in’ regimes which already exist for competition claims.