GDPR: Federal Court of Justice refers question on standing of consumer protection associations to European Court of Justice for preliminary ruling.

In its decision of May 28, 2020, the German Federal Court of Justice referred to the European Court of Justice the question of whether consumer protection associations are authorized to pursue violations of data protection law by way of an action, irrespective of the infringement of specific rights of individual data subjects and without a mandate from a data subject.

Background
In 2013, the umbrella organization of consumer advice centers in the German states filed a lawsuit for injunctive relief against a social network. The defendant had made free online games from other providers available to its users. The plaintiff complains, among other things, that the data privacy notices under the corresponding “Play Now” button do not comply with the legal requirements for obtaining effective user consent under data privacy law due to a lack of transparency.
The district court had sentenced the defendant as requested. The defendant’s appeal was also unsuccessful. The Federal Court of Justice now has to rule on the admissibility of the consumer protection association’s action on appeal and, if necessary, on the injunctive relief sought.
Since an interpretation of provisions of the General Data Protection Regulation is required to assess the standing of consumer associations to bring an action, the proceedings were suspended and the question was referred to the Court of Justice of the European Union for a preliminary ruling.

Legal classification
The question of whether the umbrella organization of consumer associations in the German states is authorized to bring this action depends, among other things, on the interpretation of Article 80 of the GDPR, which governs the authority to assert rights based on violations of data protection law. In the opinion of the Federal Court of Justice, the decisive question is whether Article 80 of the GDPR conclusively regulates the enforcement of the data protection provisions set out in this Regulation, a question that is also disputed in the case law of the courts of instance and in the legal literature.
If this regulation were to be final, the consumer protection association would not be authorized to bring this action because the necessary requirements of the General Data Protection Regulation have not been met. If the provisions do not preclude further, deviating regulations, the action for injunctive relief would in any case be admissible under German law.
It is therefore questionable whether, in addition to the provisions of European law, the provision in German laws, such as the Unfair Competition Act and the Injunctions Act, also apply. These grant associations, institutions and chambers as well as competitors the power to take action against the controller by way of a lawsuit before the civil courts for violations of the General Data Protection Regulation, irrespective of the violation of specific rights of individual data subjects and without a mandate from a data subject.
The European Court of Justice had already ruled in its judgment of July 29, 2019, that the provisions of the Data Protection Directive, which applied until the entry into force of the General Data Protection Regulation on May 25, 2018, do not preclude associations from bringing an action. In this decision, the European Court of Justice left open whether this right of action continues to apply under the now applicable General Data Protection Regulation.

Evaluation
Among other things, the decision in these proceedings has implications for the question of whether competitors can also pursue violations of data protection law under competition law aspects. Should the ECJ affirm the right of action, it cannot be ruled out that the wave of warning letters feared since the entry into force of the GDPR will occur. The decision thus has significant implications for all companies.