Case Summary and Outcome

The Third Chamber of the Court of Justice of the European Union (CJEU) upheld the right of consumer protection associations to hold companies liable for violating the General Data Protection Regulation (GDPR). The German Federal Union of Consumer Organisations and Associations brought an action for an injunction against Meta Platforms Ireland for an infringement of the right to data protection of a data subject under GDPR, without a mandate from a data subject. Meta Platforms Ireland is the controller of the personal data of users of the popular social network “Facebook” in the European Union. The Facebook internet platform contains, at the internet address www.facebook.de, an area called ‘App-Zentrum’ (‘App Center’) on which Meta Platforms Ireland makes available to users free games provided by third parties. When viewing some of those games, the user is informed that use of the application concerned enables the gaming company to obtain a certain amount of personal data and gives it permission to publish data on behalf of that user. In this judgement, the German Consumer Organisation was given standing to bring about a case in court concerning the violation of rights of consumers who are also data subjects. The Court held that this could be done independently if the national law provided for it. As per GDPR, Member States are given the discretion to set out additional rules in the provisions. The Court agreed with the opinion of the Advocate General who had argued for admitting the German association.

Facts

This judgement deals with a request for a preliminary ruling concerning the interpretation of Article 80(1) and (2) and Article 84(1) of 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons about the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR). In particular, Article 80 deals with representation of data subjects and provides that the data subject shall have the right to mandate a not-for-profit body, organisation or association with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights of the data subjects under GDPR.

Meta Platforms Ireland Limited (Meta) manages the services of the online social network Facebook in the European Union (EU). Meta is the controller of the personal data of users of Facebook in the EU. Facebook Germany GmbH, which is registered in Germany promotes the sale of advertising space at the internet address www.facebook.de. At this address, Facebook included an area called “App-Zentrum” (“App Centre”) on which Meta provides free games to users from third parties. The App Center mentions that with the users’ consent, it will obtain some of their data and use it to publish information such as their scores. This leads to the user accepting the general terms and conditions of the application and its data processing policy. In addition, in the case of one game Scrabble, the app is also authorised to post the status, photos and other information on behalf of the user.

The German Federal Union of Consumer Organisations and Associations (Federal Union) which has stood from the Law of Injunctions considered that the information provided by the games in the App Center was unfair, particularly the failure to comply with the legal requirements which relate to the obtention of valid consent from the users as per the provisions of data protection. Moreover, it believed that the application’s statement on having permission to publish the information of the users poses to be disadvantageous for the users. On these grounds, the Federal Union brought an action for an injunction to the Regional Court, Berlin, Germany against Meta and an independent action of a specific infringement of a data subject’s right to protection of his or her data without his or her mandate. Federal Union’s claim, thus, concerned an infringement of the German legislation on the protection of personal data that, at the same time, amounts to an unfair commercial practice, an infringement of a law on consumer protection and a breach of the prohibition on the use of invalid general conditions.

Notably, Federal Union argued that Facebook Ireland should be prohibited from presenting games, in the context of commercial activities aimed at consumers in such a way that, by clicking on a button such as “Play now”, the consumer declares that the game operator obtains, via the social network, information on the personal data on that website and is authorised to transmit information on behalf of the consumer.

The Regional Court ruled against Meta. A subsequent appeal brought by Meta against the Federal Union was dismissed.  Meta then brought an appeal on a point of law before the referring court against the dismissal of its appeal. The referring court considered the action of the Regional Court to be well-founded as Meta infringed the Law against unfair competition, the Law on Injunctions and used an invalid general condition.

Prior to the enactment of GDPR, the Federal Union was authorised to bring proceedings for an injunction before the civil courts in accordance with German law. However, the referring court was doubtful regarding the admissibility of the Federal Union’s action before the appellate court after the enactment of GDPR. This doubt arose since it was not clear whether a consumer protection association, such as the Federal Union, still had standing to bring proceedings, independently of an actual infringement of the rights of individual data subjects and without being mandated by them. Accordingly, it was possible that the Federal Union lost its status of standing during the proceeding following the entry into force of the GDPR. If so, then Meta’s appeal would be upheld.

The referring court considered the fact that it might not be the object of the GDPR to accept that associations have the standing to bring proceedings under competition law. Given the doubts as to the admissibility of the action brought by the Federal Union, and in particular as to its standing to bring proceedings against Meta Platforms Ireland, the referring court referred the matter to the Court of Justice.

Decision Overview

The Third Chamber of the Court of Justice of the European Union delivered the judgment. The primary question before the Court was: whether associations and other entities are empowered to bring proceedings for breaches of the GDPR independent of the specific rights of data subjects before the civil courts on the basis of competition law? The main proceedings between the parties concerned the aforementioned question and only the part of the question which related to the standing to bring proceedings of associations and other bodies authorised under national law was dealt with in this judgement. In responding to the question, the Court held that the data subject has the right to lodge a complaint himself or herself with a supervisory authority of a Member State or to bring an action before the national civil courts under the GDPR. Moreover, the data subject can mandate an organization to lodge a complaint on his or her behalf as well [para. 56].

As per Article 1(1) of the GDPR, read with recitals, 9, 10, 13, it can be said that the GDPR seeks to ensure harmonization of national legislation on the protection of personal data. However, States have the discretion to lay down additional rules. These rules come into immediate effect under the national laws, and there is no need for States to adopt measures of application. Nevertheless, some provisions would require States to implement measures of adoption [para. 57 and 58]. In order for it to be possible to proceed with representative action without a mandate provided for in the provisions, Member States should make use of the option made available to them by that provision to provide in their national law for representing data subjects [para. 59]. However, this discretion must be exercised within the limits of the GDPR [para. 60].

Article 80(2) of GDPR leaves the Member States a discretion with regard to its implementation. Therefore, by making it possible for Member States to provide for a representative action mechanism against the person allegedly responsible for an infringement of the laws protecting personal data, Article 80(2) of the GDPR lays down a number of requirements to be complied with. For instance, as a first principle, the standing to bring proceedings is conferred on a body, organisation or association which meets the criteria set out in the GDPR. This is laid down under Article 80(1) of the GDPR, which refers to the following criteria:

“not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data” [para. 64].

Thus, the Federal Union may fall within the scope as it pursues an objective of public interest of safeguarding the rights and freedoms of data subjects as consumers since this would be related to the protection of their personal data [para. 66].

Second, the exercise of that representative action presupposes that the entity in question, independently of any mandate conferred on it, considers that the rights which a data subject derives from the GDPR have been infringed as a result of the processing of his or her personal data. Here, it is crucial to underline that the concept of “data subject” also includes the designation of categories or groups of persons affected by such treatment, thereby being sufficient to bring about representative action [para. 59]. Thus, for the purposes of representative action, the entity cannot be carrying out a prior individual identification of the person concerned with data processing contrary to the provisions of the GDPR [para. 68]. Besides, the bringing of such an action should not require there to be a specific infringement of the rights which a person derives from the GDPR.

Third, bringing a representative action is not subject to the existence of a specific infringement of the rights which a person derives from rules of data protectio [para. 70]. In order to recognize the entity’s standing, it is enough to claim that the data processing concerned is liable for infringement of rights, without proving actual harm [para. 72]. Such an interpretation is in line with Article 16 of the Treaty on the Functioning of the European Union and Article 8 of the Charter of Fundamental Rights of the European Union, ensuring a high level of the protection of personal data [para. 73]. The court finally held that the aforementioned laws must be interpreted to not preclude national legislation in the absence of a mandate to allow consumer protection associations to bring legal proceedings.

In addition, the Court also held that authorizing consumer protection associations such as the Federal Union in representative capacity strengthens the rights of data subjects [para. 74]. Furthermore, such representative action tends to be more effective than individual action [para. 75].

The Court subsequently moved on to ascertain whether Article 80(2) of the GDPR precludes the bringing of a representative action independently of a specific infringement of a right of a data subject and of a mandate conferred by that data subject, where infringement of data protection rules has been alleged in the context of an action seeking to review the application of other legal rules intended to ensure consumer protection [para 77]. On this front, the Court agreed on the opinion of the Advocate General that provision does not preclude the Member States from exercising the option it offers them, in that consumer protection associations are entitled to take action against infringements of the rights provided for by the GDPR through rules intended to protect consumers or combat unfair commercial practices, such as those provided for by Directive 2005/29 and Directive 2009/22.

In light of the above, the Court answered the question in positive, holding that Article 80(2) of the GDPR must be interpreted as not precluding national legislation which allows a consumer protection association to bring legal proceedings, where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation.