The European Court of Justice has issued an important judgment this morning confirming that consumer bodies can bring opt-out class action claims for breaches of data protection, including where the infringement also relates to consumer protection and unfair commercial practices laws.
With a few high-profile exceptions, consumer group-led class actions for breaches of European privacy rules haven’t taken off in the way that businesses might have expected or feared. Today’s judgment doesn’t fundamentally change the ability of consumer associations to bring those claims, so it’s going to be interesting to see whether they are emboldened now to ramp up their activities in this area.
One aspect of the judgment that consumer groups might look to capitalise on is the confirmation that they can bring claims relating to unfair commercial practices and consumer protection laws if the allegedly infringing practices also involve data protection. Combined with the low threshold for bringing claims, that’s going to create additional challenges for businesses, who are now on notice that they need to view their practices through the dual lenses of privacy and consumer protection, if they don’t already.
But if you’re being cynical the real winners here are the overstretched and underfunded regulators — some of whom may secretly be hoping that increased consumer group litigation will help to lift the burden on their shoulders and deflect criticisms about their own lack of enforcement.
The GDPR does not preclude national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data, on the basis of the infringement of the prohibition of unfair commercial practices, a breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions, where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation