New EU problems for Facebook regarding privacy protection

The European Court has ruled in case C‑319/20 Meta Platforms Ireland Limited, formerly Facebook Ireland Limited, v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.

The case concerns the issue of whether consumer protection associations bring legal proceedings for breach of privacy even without a particular mandate from consumers. The dispute has the following background:

Meta Platforms Ireland, which manages the provision of services of the online social network Facebook in the European Union, is the controller of the personal data of users of that social network in the European Union. Facebook Germany GmbH, which has its registered office in Germany, promotes the sale of advertising space at the internet address http://www.facebook.de. The Facebook internet platform contains, inter alia, at the internet address http://www.facebook.de, an area called ‘App-Zentrum’ (‘App Center’) on which Meta Platforms Ireland makes available to users free games provided by third parties. When consulting the App Center of some of those games, an indication appears informing the user that the use of the application concerned enables the gaming company to obtain a certain amount of personal data and, by that use, permission is given for it to publish data on behalf of that user, such as his or her score and other information. The consequence of that use is that the user accepts the general terms and conditions of the application and its data protection policy. In addition, in the case of a specific game, it is stated that the application has permission to post the status, photos and other information on behalf of that user.

The Federal Union, a body which has standing under Paragraph 4 of the Law on Injunctions, considers that the information provided by the games concerned in the App Center is unfair, in particular in terms of the failure to comply with the legal requirements which apply to the obtention of valid consent from the user under the provisions governing data protection. Moreover, it considers that the statement that the application has permission to publish certain personal information of the user on his or her behalf constitutes a general condition which unduly disadvantages the user.

In that context, the Federal Union brought an action for an injunction before the Regional Court, Berlin, Germany against Meta Platforms Ireland based on Paragraph 3a of the Law against unfair competition, the first sentence of point 11 of Paragraph 2(2) of the Law on Injunctions and the Civil Code. It brought that action independently of a specific infringement of a data subject’s right to protection of his or her data and without being mandated to do so by such a person.

The Regional Court, Berlin ruled against Meta Platforms Ireland, in accordance with the form of order sought by the Federal Union. The appeal brought by Meta Platforms Ireland before the Higher Regional Court, Berlin, Germany was dismissed. Meta Platforms Ireland then brought an appeal on a point of law (Revision) before the referring court against the dismissal decision adopted by the Higher Regional Court, Berlin.

The referring court considers that the action brought by the Federal Union is well founded, in so far as Meta Platforms Ireland infringed Paragraph 3a of the Law against unfair competition and the first sentence of point 11 of Paragraph 2(2) of the Law on Injunctions, and used an invalid general condition, within the meaning of Paragraph 1 of the Law on Injunctions.

However, that court has doubts as to the admissibility of the action brought by the Federal Union. It takes the view that it cannot be ruled out that the Federal Union, which did indeed have standing to bring proceedings on the date on which it brought the action – on the basis of Paragraph 8(3) of the Law against unfair competition and point 1 of the first sentence of Paragraph 3(1) of the Law on Injunctions – lost that status during the proceedings, following the entry into force of the GDPR and, in particular, Article 80(1) and (2) and Article 84(1) thereof. If that were the case, the referring court would have to uphold the appeal on a point of law brought by Meta Platforms Ireland and dismiss the action of the Federal Union, since, under German procedural law, standing to bring proceedings must endure until the end of the proceedings at last instance.

According to the referring court, the answer in that regard is not clear from the assessment of the wording, scheme and objectives of the provisions of the GDPR.

As regards the wording of the provisions of the GDPR, the referring court notes that the existence of standing to bring proceedings of not-for-profit bodies, organisations or associations which have been properly constituted in accordance with the law of a Member State, pursuant to Article 80(1) of the GDPR, presupposes that the data subject has mandated a body, organisation or association for it to exercise on his or her behalf the rights referred to in Articles 77 to 79 of the GDPR and the right to compensation referred to in Article 82 of the GDPR where the law of a Member State so provides.

The referring court states that standing to bring proceedings under Paragraph 8(3)(3) of the Law against unfair competition does not cover such an action brought on the basis of a mandate and on behalf of a data subject in order to assert his or her personal rights. On the contrary, it confers on an association, by virtue of a right peculiar to it and stemming from Paragraph 3(1) and Paragraph 3a of the Law against unfair competition, standing to bring proceedings on an objective basis against infringements of the provisions of the GDPR, independently of the infringement of specific rights of data subjects and of a mandate conferred by them.

In addition, the referring court observes that Article 80(2) of the GDPR does not provide for an association’s standing to bring proceedings in order to secure the application, objectively, of the law on the protection of personal data since that provision presupposes that the rights of a data subject laid down in the GDPR have actually been infringed as a result of the processing of specific data.

Furthermore, an association’s standing to bring proceedings, such as that provided for in Paragraph 8(3) of the Law against unfair competition, cannot result from Article 84(1) of the GDPR, under which the Member States are to lay down the rules on other penalties applicable to infringements of that regulation and are to take all measures necessary to ensure that they are implemented. The standing of an association, such as that referred to in Paragraph 8(3) of the Law against unfair competition, cannot be regarded as constituting a ‘penalty’ within the meaning of that provision of the GDPR.

As regards the scheme of the provisions of the GDPR, the referring court considers that it may be inferred from the fact that it harmonised, inter alia, the powers of the supervisory authorities that it is principally for those authorities to verify the application of the provisions of that regulation. However, the expression ‘without prejudice to any other … remedy’, which appears in Article 77(1), Article 78(1) and (2) and Article 79(1) of the GDPR, may undermine the argument that oversight of the application of the law is exhaustively governed by that regulation.

As regards the objective of the provisions of the GDPR, the referring court notes that the effectiveness of that regulation may support an argument in favour of associations having standing to bring proceedings on the basis of competition law, in accordance with Paragraph 8(3)(3) of the Law against unfair competition, independently of the infringement of specific rights of data subjects, since that would allow an additional opportunity to supervise the application of the law to remain, in order to ensure as high a level as possible of protection of personal data, in accordance with recital 10 of the GDPR. Nonetheless, accepting that associations have standing to bring proceedings under competition law may be considered to run counter to the objective of harmonisation pursued by the GDPR.

In the light of those considerations, the Federal Court of Justice decided to stay the proceedings and to refer the following question to the Court of Justice for a preliminary ruling:

‘Do the rules in Chapter VIII, in particular in Article 80(1) and (2) and Article 84(1), of [the GDPR] preclude national rules which – alongside the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the Regulation and the options for legal redress for data subjects – empower, on the one hand, competitors and, on the other, associations, entities and chambers entitled under national law, to bring proceedings for breaches of [the GDPR], independently of the infringement of specific rights of individual data subjects and without being mandated to do so by a data subject, against [the person responsible for that infringement] before the civil courts on the basis of the prohibition of unfair commercial practices or breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions?’

The Court’s decision:

Article 80(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as not precluding national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data, on the basis of the infringement of the prohibition of unfair commercial practices, a breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions, where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s