Case C‑319/20
Meta Platforms Ireland Limited, formerly Facebook Ireland Limited
v
Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband eV
(Request for a preliminary ruling from the Bundesgerichtshof)
Judgment of the Court (Third Chamber), 28 April 2022
(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 80 – Representation of the data subjects by a not-for-profit association – Representative action brought by a consumer protection association in the absence of a mandate and independently of the infringement of specific rights of a data subject – Action based on the prohibition of unfair commercial practices, the infringement of a consumer protection law or the prohibition of the use of invalid general terms and conditions)
Protection of individuals with regard to the processing of personal data – Regulation 2016/679 – Representation of data subjects – Locus standi – Consumer protection association – Representative action brought by that association in the absence of a mandate and independently of the infringement of a data subject’s specific rights – Action based on the infringement of the rules on consumer protection or on combating unfair commercial practices – Whether permissible – Condition
(European Parliament and Council Regulation 2016/679, Art. 80(2))
(see paragraphs 57-60, 63-79, 83, operative part)
Résumé
Meta Platforms Ireland manages the provision of services of the online social network Facebook and is the controller of the personal data of users of that social network in the European Union. The Facebook internet platform contains, at the internet address www.facebook.de, an area called ‘App-Zentrum’ (‘App Center’) on which Meta Platforms Ireland makes available to users free games provided by third parties. When viewing some of those games, the user is informed that use of the application concerned enables the gaming company to obtain a certain amount of personal data and gives it permission to publish data on behalf of that user. By using that application, the user accepts its general terms and conditions and data protection policy. In addition, in the case of a specific game, the user is informed that the application has permission to post photos and other information on his or her behalf.
The German Federal Union of Consumer Organisations and Associations (1) considered that the information provided by the games concerned in the App Center was unfair. Therefore, as a body with standing to bring proceedings seeking to end infringements of consumer protection legislation, (2) the Federal Union brought an action for an injunction against Meta Platforms Ireland. That action was brought independently of a specific infringement of the right to data protection of a data subject and without a mandate from a data subject. The decision upholding that action was the subject of an appeal brought by Meta Platforms Ireland which, after that appeal was dismissed, then brought a further appeal before the Bundesgerichtshof (Federal Court of Justice, Germany). Since it had doubts as to the admissibility of the action brought by the Federal Union, and in particular as to its standing to bring proceedings against Meta Platforms Ireland, that court referred the matter to the Court of Justice.
By its judgment, the Court finds that Article 80(2) of the General Data Protection Regulation (3) does not preclude a consumer protection association from being able to bring legal proceedings, in the absence of a mandate granted to it for that purpose and independently of the infringement of the specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data, on the basis of the infringement of the prohibition of unfair commercial practices, a breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions. Such an action is possible where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation.
Findings of the Court
First of all, the Court notes that while the GDPR (4) seeks to ensure harmonisation of national legislation on the protection of personal data which is, in principle, full, Article 80(2) of that regulation is amongst the provisions which leaves the Member States a discretion with regard to its implementation. (5) Therefore, in order for it to be possible to proceed with the representative action without a mandate provided for in that provision, Member States must make use of the option made available to them by that provision to provide in their national law for that mode of representation of data subjects. However, when exercising that option, the Member States must use their discretion under the conditions and within the limits laid down by the provisions of the GDPR and must therefore legislate in such a way as not to undermine the content and objectives of that regulation.
Next, the Court points out that, by making it possible for Member States to provide for a representative action mechanism against the person allegedly responsible for an infringement of the laws protecting personal data, Article 80(2) of the GDPR lays down a number of requirements to be complied with. Thus, first, standing to bring proceedings is conferred on a body, organisation or association which meets the criteria set out in the GDPR. (6)A consumer protection association, such as the Federal Union, which pursues a public interest objective consisting in safeguarding the rights and freedoms of data subjects in their capacity as consumers, since the attainment of such an objective is likely to be related to the protection of the personal data of those persons, may fall within the scope of that concept. Second, the exercise of that representative action presupposes that the entity in question, independently of any mandate conferred on it, considers that the rights which a data subject derives from the GDPR have been infringed as a result of the processing of his or her personal data.
Thus, first, the bringing of a representative action (7) does not require prior individual identification by the entity in question of the person specifically concerned by data processing that is allegedly contrary to the provisions of the GDPR. For that purpose, the designation of a category or group of persons affected by such treatment may also be sufficient. (8)
Second, the bringing of such an action does not require there to be a specific infringement of the rights which a person derives from the GDPR. In order to recognise that an entity has standing to bring proceedings, it is sufficient to claim that the data processing concerned is liable to affect the rights which identified or identifiable natural persons derive from that regulation, without it being necessary to prove actual harm suffered by the data subject, in a given situation, by the infringement of his or her rights. Thus, in the light of the objective pursued by the GDPR, authorising consumer protection associations, such as the Federal Union, to bring, by means of a representative action mechanism, actions seeking to have processing contrary to the provisions of that regulation brought to an end, independently of the infringement of the rights of a person individually and specifically affected by that infringement, undoubtedly contributes to strengthening the rights of data subjects and ensuring that they enjoy a high level of protection.
Finally, the Court states that the infringement of a rule relating to the protection of personal data may at the same time give rise to an infringement of rules on consumer protection or unfair commercial practices. The GDPR (9) allows the Member States to exercise their option to provide for consumer protection associations to be authorised to bring proceedings against infringements of the rights provided for by the GDPR through rules intended to protect consumers or combat unfair commercial practices