Client Alert

Catching Up? A New Consumer Protection Cooperation Regime for the EU

02 Feb 2018


The European Union (“EU”) has long had a focus on consumer protection of EU residents. A new proposed EU regulation is set to improve the cross-border enforcement regime for consumer protection legislation. The new rules will give more teeth to national authorities in EU Member States, allowing them to deal more effectively with cross-border infringements of EU consumer legislation.

These changes are part of a wider programme of reform affecting all businesses operating in the Technology, Media and Telecoms sectors in Europe.


The European Commission launched its Digital Single Market (“DSM”) strategy in May 2015. We have written a number of articles following the DSM’s progress: at its inception, one year in and in 2017 following a mid-term review.

The DSM strategy is broken down into three “pillars” and 16 “Key Actions”. The first Key Action aims to extend the rights held by European consumers by implementing a more harmonised set of rules for the supply of digital content and sale of online goods across the EU and to make it easier and less costly for businesses to engage in cross-border commerce. Key Action 2 hones in on the capacity of EU Member States (and Iceland, Liechtenstein and Norway) to protect such rights through more effective enforcement of consumer protection laws.

Under Key Action 2, the EU has adopted a revised Consumer Protection Cooperation Regulation (the “CPC Regulation”), repealing an old Regulation from 2006. The CPC Regulation will apply from 17 January 2020 and:

  • sets out clear criteria for consumer law infringements, in respect of which national authorities and the Commission must cooperate to take action;
  • introduces a better alert mechanism to allow more effective communication between stakeholders; and
  • gives national authorities the capacity to take specific action against infringers.

However, the reforms only go so far. The CPC Regulation stops short of prescribing specific enforcement measures that national authorities should take and does not set out a common EU-wide penalty regime. As a result, the impact on organisations selling to consumers in the EU may be more indirect (in the sense of a more joined-up – although by no means harmonised – monitoring and enforcement regime) than the sort of direct effect that would have come from new consumer protection laws.


The EU consumer protection enforcement framework, first established with the 2006 Regulation, is designed to allow the relevant national authorities in EU Member States to jointly address breaches of consumer law that span more than one country. The framework introduced a mutual assistance mechanism – allowing Member States to aid each other with ongoing infringements that affected more than one Member State – as well as a network of European Consumer Centres to act as a port of call for consumers who felt that their rights had been breached.

Despite the 2006 Regulation’s best intentions, the Commission came to the conclusion in its DSM strategy that the existing framework was ill-equipped to deal with the challenges brought about by the digital sector. The Commission notes:

  • a disparity between consumer confidence in purchasing goods online from retailers in their own Member State, as opposed to retailers in other Member States. Only 38% had faith in the latter, compared to 61% in the former;
  • 68% of all cross-border complaints received by European Consumer Centres in 2015 were related to e-commerce; and
  • an impact assessment carried out by the Commission in 2014 found that 37% of e-commerce booking websites for travel, entertainment, clothing, electronic goods and financial services did not respect basic consumer rights, at a potential cost of €770 million for consumers shopping cross-border in these sectors.

For the Commission, these numbers highlighted the inadequacy of an existing enforcement framework that was at risk of being left behind by a rapidly evolving e-commerce sector.


As a result of these shortcomings, the EU has revised the old regime in order to strengthen existing legislation and develop mechanisms to ensure that cross-border and widespread infringements to EU consumer law are detected and addressed.

While a small number of the Commission’s original proposals fell by the wayside – notably a surveillance mechanism allowing the Commission to have oversight over Member States’ compliance with enforcement plans – the Commission’s proposals generally saw their way through debates in the European Parliament and Council and into the final CPC Regulation.

The most notable changes made by the CPC Regulation are set out below.

“Widespread Infringement” and “Infringement with a Union Dimension”

The revised CPC Regulation includes two new concepts: one of “widespread infringement” – an infringement of EU consumer law that affects at least two Member States; and the other of “infringement with a Union Dimension” – an infringement that affects two thirds of Member States with two thirds of the EU population. 

These new concepts are intended to allow for a more effective response from national authorities in Member States, by compelling them to act in specified scenarios. Widespread infringements will require that national authorities in the relevant Member States launch a coordinated action. In the case of infringements with a Union dimension, the Commission itself will coordinate the necessary action, liaising with the relevant national authorities as required. Even where an infringement does not meet the criteria of a widespread infringement or an infringement with a Union dimension, Member States are still free to request help with investigation and enforcement from other Member States, under the mutual assistance mechanism introduced by the 2006 Regulation.

Increased Powers for National Authorities

The CPC Regulation also provides national authorities in Member States with more powers to enforce EU consumer law, including the right to:

  • undertake mystery shopping i.e. trying to ascertain any infringements while pretending to be a normal shopper;
  • take down an infringing website;
  • order the restitution of profits or compensation to consumers; and
  • request information from domain registrars, internet service providers and banks to identify the infringing trader. 

National authorities will also have the capacity to act in the case of past infringements (subject to a limitation period of five years), while the 2006 Regulation only provided a mechanism for enforcement against current, on-going infringements.


As one might expect from an initiative designed to enhance cooperation between Member States, increased and effective communication forms a key part of the revised CPC Regulation. In particular, a national authority must alert the Commission and other national authorities if it suspects that there is an infringement in its territory that may affect other Member States.

The CPC Regulation will also provide consumer and trader organisations, European Consumer Centres and other designated bodies the opportunity to formally post alerts regarding suspected infringements to competent authorities within Member States, as well as to the Commission.


While the CPC Regulation has a tangible impact on the mechanisms of cooperation between Member States, the actual method of enforcement of consumer law is still entirely in the control of national authorities. As described above, there is capacity for the Commission to coordinate action by national authorities, but only national authorities are permitted by the CPC Regulation to take action against infringing traders. The Commission may only take part in any investigation or enforcement action if invited to do so by the relevant national authority.

The CPC Regulation does not change any substantive consumer law as it applies to organisations, nor does it address how national authorities should actually go about enforcing that consumer law. Rather, the CPC Regulation sets out the enforcement measures that national authorities can take, ranging from the increased powers referenced above, to “the power to adopt interim measures”, to the power toimpose penalties, such as fines or periodic penalty payments. Unlike the General Data Protection Regulation (“GDPR”) in effect from May 2018, the CPC Regulation is not prescriptive as to how extensive any fines may be.

The CPC Regulation goes so far as to say that a national authority must take enforcement measures to bring about the cessation of infringing activity when requested to do so by a national authority acting in accordance with the CPC Regulation. However, there is no prescription as to what that enforcement should actually look like, save that it should be necessary and proportionate. The CPC Regulation suggests that national authorities should seek remedial measures from traders in order to compensate consumers. Such remedies might include: repair, replacement, price reductions, the termination of contract or the reimbursement of the price paid for the goods or services; but, again, there is nothing prescriptive or concrete in terms of substantive measures that national authorities should take in specific scenarios.

Similarly, there is no mention of obligations on national authorities to take specific measures to improve or enhance their enforcement regimes. Rather, the CPC Regulation solely governs the relationship between Member States in working together to launch actions against organisations that infringe consumer law. In its Recitals, the CPC Regulation stresses the importance of national authorities having the means to effectively deal with consumer law infringement but places more emphasis on the need for the Commission and national authorities to communicate and cooperate in order to prevent large scale infringement, as opposed to a specific and stringent penalty regime, as is the case with the GDPR.

This lack of prescription indicates that while the EU has appeared to create a stronger web between national authorities and the Commission to cooperate in addressing large scale infringement of consumer law, it does not go as far as it might have done. There is no indication, for example, that competitors of traders can bring claims based on unfair terms, as is the case in Germany with regard to cease and desist claims, nor is there a new system of penalties and fines. As such, the risk and impact on actual traders may not be as drastic as might be expected. The EU is clearly aiming for a more effective and efficient system to deal with the infringement of its consumer law, but this (at least in the context of the CPC Regulation) appears to focus more heavily on communication between the Commission and national authorities, rather than imposing a more severe set of penalties and enforcement measures that national authorities should use to punish traders.


While the CPC Regulation was adopted in January 2018, its provisions will not actually apply until January 2020. Of course, it remains to be seen just how effective the Regulation is in curbing cross-border infringement of EU consumer law. Certainly, the development does not represent a vast change in compliance rules for organisations operating in the EU: it remains as important as ever for organisations to ensure that they do not fall foul of consumer legislation.  Moreover, while national authorities do have some increased powers under the CPC Regulation, there is no indication that the new legislation will bring with it draconian fines or extremely harsh penalty regimes.

From the Commission’s perspective, the fact that the CPC Regulation has been adopted will provide comfort. As we mentioned in a previous article, the Commission made clear in its 2018 Work Programme that the DSM is a priority for the year ahead, and it will hope that this will be the first of many legislative proposals to come to fruition in what is undoubtedly a key year for the DSM strategy.


Rayhaan Vankalwala, a Trainee Solicitor in our London office, contributed to the writing of this alert.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.