Last week the Court of Justice of the European Union (CJEU) issued a ruling that allows consumer groups to start legal actions against data protection rules violations, even when not mandated by the data subjects themselves. The CJEU ruled that Germany's consumer protection association could bring a legal challenge against Facebook parent Meta over data privacy. The issue, in this case, was that according to the German consumer organisation, Meta had disobeyed data privacy rules.
In the legal proceedings, there were some open questions that the CJEU has now addressed. The German Court asked the CJEU, if under the General Data Protection Regulation (GDPR), a consumer body could take legal action over data privacy infringements, or whether this was only for national supervisory authorities. The processing of personal data can affect individuals in their capacity as consumers. It would be contradictory if data protection law, which is intended to protect individuals, does not allow consumer bodies to file claims and violations to protect consumers.
The CJEU found the legal action issued by the German court well-founded, however, its admissibility was still questioned. The verdict is that the GDPR does not preclude national legislation allowing consumer protection associations to bring legal proceedings. The German consumer association is, in this case, a body that can start legal actions on behalf of the public regarding GDPR, without identifying the data subjects whose rights have been infringed.