The European Court of Justice (ECJ) has significantly enhanced the ability of consumer protection associations to pursue infringements of the EU General Data Protection Regulation (GDPR) making it vital businesses ensure data protection compliance and have adequate insurance cover in place.

The ECJ ruling allows for action to be taken even without a corresponding mandate from data subjects and this increases the potential for consumer actions for companies working in the B2C sector.

The ruling creates the opportunity for collective actions if a respective capacity to sue is provided for in national provisions of the Member States. This is in line with the goal of the GDPR to ensure a high level of protection of personal data.

However, the Member States must make use of the discretion granted to them under Article 80 GDPR and provide for the representation of data subjects by consumer protection associations in their national law. Article 80 of GDPR grants the right to data subjects to mandate a non-for-profit organisation or an association active in the field of data protection to file a complaint and exercise GDPR rights on its behalf.

The ECJ decision could trigger an increase in warning letters, as consumer associations will be increasingly interested in the judicial interpretation and clarification of consumer-protective data protection standards in the future.

It is expected companies that process personal data will have to deal with not only administrative and fine proceedings initiated by the data protection authorities, but also warning letters, interim injunctions and actions for injunctions in the future.

The ECJ move follows their ruling that Germany's consumer protection association could bring a legal challenge against Facebook parent Meta over data privacy. The verdict meant that the Federation of German Consumer Organisations could seek an injunction against Meta Platforms Ireland in a German court.

The Federation alleged that Meta infringed rules on data privacy, unfair competition and consumer protection related to free games by third parties available to Facebook users. The gaming companies obtained certain personal data in the process.

The ECJ had to decide whether the GDPR precludes national provisions that provide for a capacity to sue for associations, i.e., whether associations can bring an action against the alleged infringer of the protection of personal data in order to protect consumers' interests.

W Denis Europe arranges comprehensive insurance for EEA based businesses, large and small, including, Data Protection Infringement Cover, Cyber, Errors & Omissions, Directors & Officers Liability and much more. If you wish to discuss your insurance requirements, please visit www.wdenis.eu or contact Vida Jarašiūnaitė vida.jarasiunaite@wdenis.eu or Mark Dutton mark.dutton@wdenis.com