GDPR enforcement deadlock could be eased as consumer bodies win right to bring cases

Under-resourced and under pressure, the Irish Data Protection Commission has long endured criticism from privacy campaigners who say it has failed to force Big Tech to fall in line with the rules of the General Data Protection Regulation.

With most Big Tech companies’ European headquarters based in Dublin, the Irish authority is the de facto regulator for the most high-profile data protection enforcement. But, to the relief of its critics, that bottleneck may be opening up.

The European Court of Justice ruled earlier today that bodies such as VZBV, the umbrella organization of German consumer associations, are allowed to bring mass claims related to data protection in the GDPR era.

Such claims were allowed under the GDPR’s predecessor, the 1995 Data Protection Directive. But because the GDPR introduced a specific mechanism allowing consumer bodies, under certain conditions and for specific violations, to bring mass claims, it became unclear whether the updated law blocked such actions outside those parameters.

Today’s case, referred by the German Federal Court of Justice, raised the specific question of whether VZBV had standing under the GDPR to bring civil proceedings related to data protection, without “an actual infringement of the rights of individual data subjects and without being mandated by them.” The EU’s highest court ruled that it did.

Mass claims

The GDPR harmonizes national data protection legislation across the EU, the court said, but also leaves a "margin of discretion" for countries to decide the way the rules are implemented.

VZBV’s litigation head Heiko Dünkel, speaking to MLex before the ruling, said it would have been a “paradox” for the court to say that the GDPR blocks consumer associations from bringing cases. Such a ruling would have made it harder to enforce the GDPR than its predecessor, but the GDPR was designed to upgrade data protection rights and enforcement.

The Court of Justice seemed to agree, saying in a press release today that the interpretation in the ruling is “consistent with the objective pursued by the GDPR … in particular, ensuring a high level of protection of personal data.”

The effect of the ruling is to some extent country-specific. German law specifies that consumer associations can make data protection claims arguing that a GDPR infringement is also either an unfair commercial practice or an infringement of consumer rights. VZBV’s Dünkel described these as “bridges” into the GDPR.

Nevertheless, the ruling does in theory allow consumer bodies across the EU to pursue the same routes, opening up an alternative mechanism to enforcement by data protection authorities. Figures from consumer protection associations said they do not expect a torrent of cases across the bloc, but a restart of existing German cases that have been put on hold.

Dünkel told MLex yesterday that VZBV has more than 20 data protection-related cases, including some against Big Tech companies, pending in German courts awaiting today’s decision.

And importantly, while data protection authorities have to work within the tight confines of the GDPR — and with the prospect of inevitable appeals against big fines — consumer associations can bring cases in courts where they have significant experience and can be more creative in the way they bring claims.

But the ruling is not the only green light for such claims. The Representative Actions Directive, which applies from next summer, refers to dozens of other laws under which qualified consumer groups can bring mass claims, including the GDPR. This could prompt more cases across the EU, including in countries without a legal tradition of mass claims.

Enforcement

This shift will be welcome news to those who, when the GDPR came into force in 2018, hoped to see a serious crackdown on the largest technology companies, which they say have long infringed data protection rights on a massive scale.

In the four years since it came into force, it has become almost axiomatic that the core problem with the GDPR is its enforcement, rather than the content of the law.

Although large-scale Big Tech enforcement has started to ramp up in recent years, many of those campaigners — and some data protection regulators — have found themselves disappointed, arguing that the Irish Data Protection Commission had been too soft on the Big Tech companies.

Those campaigners may find a more reliable ally in the consumer bodies, which can take on the Big Tech companies on their own terms and their own timelines.

BEUC, the European consumer organization, has bemoaned long delays to a complaint it filed with the Irish Data Protection Commission about Google’s use of location data; it should soon find itself more able to take these types of complaints straight to the companies in court, without having to wait for a regulator to see it through.

The increasing ease with which bodies like BEUC and VZBV are now able to bring mass data protection claims may represent an alternative to regulatory enforcement, and one which may prove more effective in holding Big Tech companies to account.