CJEU

In May 2025, the Court of Justice of the EU (“CJEU”) ruled on five cases applying EU consumer protection law. This blog post provides an overview of the decisions.

  • Three of these cases relate to the EU Unfair Contract Terms Directive (“UCTD”), which protects consumers from unfair terms in contracts with businesses. It applies to standard terms that have not been individually negotiated and ensures they are transparent, clear, and balanced. If a term is found to be unfair, it is not binding on the consumer—and its use can expose businesses to enforcement actions, including fines, under national laws.
  • The fourth case relates to the EU Directive on Misleading and Comparative Advertising (“DMCA”), which aims to protect businesses and consumers by prohibiting advertising that misleads or distorts competition. It also sets out conditions for permitted comparative advertising—comparing one product or service with another—to ensure fairness and accuracy.
  • The fifth case concerns the EU Directive on Electronic Commerce (“DEC”), which sets transparency obligations for online commercial communications. Specifically, it requires that online promotions clearly disclose the conditions for benefiting from the offer, ensuring that consumers are fully informed before making a decision.

We have summarized these cases below.Continue Reading Overview of Key CJEU Rulings on EU Consumer Protection Law of May 2025

On March 20, 2025, the Court of Justice of the European Union (“CJEU”) ruled on the fairness, under EU consumer protection law, of a contractual clause allocating a percentage of an athlete’s income to a professional services provider (Case C‑365/23 [Arce]).  This ruling sets an important precedent and strengthens the protection afforded by consumer protection law to minors who enter into professional service contracts, whether in sport or elsewhere.Continue Reading CJEU Rules on Fairness of Remuneration Clause in Sports Contract

On February 6, 2025, Advocate General Spielmann released his opinion in the EDPS vs. SRB case (Case C‑413/23 P).  In this case, the European Data Protection Supervisor appealed a decision from the General Court (see our blog post here).

In essence, the case turns on the question of whether

Continue Reading CJEU Advocate General Supports Pragmatic Definition of Personal Data

On May 30, 2024, the European Court of Justice (“CJEU”) ruled that any button a consumer uses to order a service online must clearly indicate that the consumer commits to pay the price for the relevant service by affirmatively clicking on it. (Conny Case C-400/22) At issue was whether this requirement applies in cases where the consumer’s obligation to pay the trader is subject to the trader meeting a specific condition specified in the contract. The CJEU confirmed that the rule applies in such cases.Continue Reading CJEU Clarifies Online “Order Buttons” Must Indicate that the Consumer is Assuming an Obligation to Pay

On October 26, 2023, the European Court of Justice (“CJEU”) decided that the GDPR grants a patient the right to obtain a copy of his or her medical record free of charge (case C-307/22, FT v DW).   As a result, the CJEU held that a provision under German law that permitted doctors to ask their patients to pay for the costs associated with providing access to their medical record is contrary to EU law.Continue Reading CJEU Holds That GDPR Right of Access Overrules Local Laws

On May 4, 2023, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) issued its opinion in case C-683/21, which examines the GDPR concepts of “controller”, “joint controller”, and “processor”, as well as the GDPR’s liability system.Continue Reading CJEU’s Advocate General Issues Opinion on Concept of Controller, Joint Controller, Processor, and Administrative Fines

On May 4, 2023, the Court of Justice of the European Union (‘CJEU’) decided, in case C-487/21, that the right to obtain a ‘copy’ of personal data means that the data subject must be provided with a faithful and intelligible reproduction of all personal data.  This can also include documents or extracts from databases containing personal data, where it would be necessary to ensure that the personal data is intelligible, as per Article 15(3) GDPR.Continue Reading CJEU Clarifies the Right to Obtain a Copy of Personal Data under the GDPR

On April 27, 2023, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) issued its opinion in the case C-807/21 on the conditions for imposing GDPR fines on legal persons (e.g., companies).  He opined that Member States’ law may not stipulate conditions going beyond those set out in the GDPR that make it more difficult to impute GDPR infringements to companies.  In addition, he is of the opinion that the GDPR penalties may only be imposed on intentional or negligent conducts, since the GDPR does not provide for a strict liability (no fault) system.Continue Reading CJEU’s Advocate General Issues Opinion on GDPR Fines Against Companies

On February 9, 2023, the Court of Justice of the EU (“CJEU”) released two separate rulings on the dismissal of data protection officers (“DPOs”) under the German Federal Data Protection Law (“German DPL”) (C-453/21 and C-560/21).  The main question in both cases was whether Section 6(4) of the German DPL which permits the dismissal of a DPO with “just cause” is compatible with the GDPR.  In short, the CJEU (i) found that the provision was compatible with the GDPR because EU member states can use “just cause” as a threshold for dismissal as long as this does not undermine the objectives set for DPOs under the GDPR, and (ii) clarified the criteria EU member states should take into account to determine whether there is a conflict of interest.Continue Reading Court of Justice of the EU Clarifies Rules on Data Protection Officers’ Dismissal and Conflicts of Interest

On December 15, 2022, the Advocate Generals (“AG”) of the Court of Justice of the European Union (“CJEU”) issued two separate opinions in cases C‑487/21 and C‑579/21 on the right of access, pursuant to Article 15 GDPR.  The first case concerns the proper interpretation and application of Article 15(3), which permits a data subject to obtain a “copy” of their personal data, among other things. The second case concerns whether the right of access includes the right to receive the identity of the controller’s employees, who are processing the data subject’s personal data in the scope of their employment.Continue Reading CJEU’s Advocate General Issues Opinions on the GDPR’s Right of Access to Personal Data