On December 2, 2021, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) held that consumer protection associations may bring collective claims without a mandate for violations of the GDPR relying on national consumer law provisions (see here).  The words “without a mandate” mean that the organization is not representing a particular consumer or group of consumers, rather, it is representing the collective interests of those whose personal data have been processed in a manner contrary to the GDPR without identifying particular individuals.  According to the AG, this is compatible with Article 80(2) of the GDPR.

The case relates to an injunction order lodged by a German consumer protection organization against a social media provider for allegedly allowing on its platform “free” games in violation of data protection law and relatedly in violation of the German consumer law.  The organization did not have a mandate from impacted consumers to lodge the claim before the German court.  But, the organization relied on a provision under German consumer law that allows it to lodge collective claims without a mandate.

The German court requested that the CJEU consider whether the consumer organization could have relied on such a provision for claims relating to violations of the GDPR.  The AG held that the GDPR does not preclude this.  However, the AG pointed out that consumer organizations may only initiate collective claims without a mandate where this option is provided for under EU Member State law.

It now is to be seen whether the CJEU follows the AG’s opinion.  We will report back once it is published.

Print:
EmailTweetLikeLinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws…

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws, as well as associated information technology and e-commerce laws and regulations. Mr. Cooper also regularly counsels clients with respect to Internet-related liabilities under European and US laws. Mr. Cooper sits on the advisory boards of a number of privacy NGOs, privacy think tanks, and related bodies.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.