Provisional text
OPINION OF ADVOCATE GENERAL
RICHARD DE LA TOUR
delivered on 25 January 2024 (1)
Case C‑757/22
Meta Platforms Ireland Limited
v
Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.
(Request for a preliminary ruling from the Bundesgerichtshof (Federal Court of Justice, Germany))
(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 12(1), first sentence – Transparency of information – Article 13(1)(c) and (e) – Obligation of the controller to provide information – Article 80(2) – Representation of the data subjects by a consumer protection association – Representative action brought in the absence of a mandate and independently of the violation of specific rights of a data subject – Action based on the infringement of the controller’s information obligation – Concept of ‘infringement of a data subject’s rights “as a result of the processing”’)
I. Background to the case, facts of the dispute in the main proceedings and new question referred for a preliminary ruling
1. In the present case, the Bundesgerichtshof (Federal Court of Justice, Germany) is once again referring for a preliminary ruling a question relating to the interpretation of Article 80(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).(2)
2. Under that provision, Member States may provide that any body, organisation or association, independently of a data subject’s mandate, has the right to lodge, in the Member State in question, a complaint with the supervisory authority, pursuant to Article 77 of that regulation, and to exercise the rights referred to in Articles 78 and 79 thereof, if it considers that the rights of a data subject under the said regulation have been infringed as a result of the processing of personal data.
3. This request for a preliminary ruling has been made in the context of a dispute between Meta Platforms Ireland Limited, formerly Facebook Ireland Limited, whose registered office is in Ireland, and the Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (Federal Union of German Consumer Organisations, Germany) (‘the Federal Union’) concerning the alleged infringement, by Meta Platforms Ireland, of German personal data protection legislation which, at the same time, amounts to an unfair commercial practice, an infringement of a law on consumer protection and a breach of the prohibition on the use of invalid general terms and conditions.
4. It is the same dispute as that in the case which gave rise to the judgment of 28 April 2022, Meta Platforms Ireland, (3) whose facts can be summarised as follows. (4)
5. Meta Platforms Ireland, which manages the provision of services of the online social network Facebook in the European Union, is the controller of the personal data of users of that social network in the European Union. Facebook Germany GmbH, which has its registered office in Germany, promotes the sale of advertising space at the Internet address www.facebook.de. The Facebook Internet platform contains, inter alia, at the Internet address www.facebook.de, an area called ‘App-Zentrum’ (App Center) in which Meta Platforms Ireland makes available to users free games provided by third parties. When certain of those games are accessed in the App Center, the user sees an indication that use of the application concerned permits the gaming company to obtain a certain amount of personal data and authorises it to make posts on behalf of that user, such as his or her score and other information. The consequence of that use is that the user accepts the general terms and conditions of the application and its data protection policy. In addition, in the case of a specific game, it is stated that the application is authorised to post status, photos and other information on behalf of that user.
6. The Federal Union, a body which has standing to bring proceedings under Paragraph 4 of the Gesetz über Unterlassungsklagen bei Verbraucherrechts- und anderen Verstößen (Unterlassungsklagengesetz – UKlaG) (Law on injunctions against infringements of consumer law and other infringements), of 26 November 2001, (5) considers that the information provided by the games concerned in the App Center is unfair, in particular in terms of the failure to comply with the legal requirements that apply to the obtention of valid consent from the user under the provisions governing data protection. Moreover, it considers that the indication that the application is authorised to publish certain personal information of the user on his or her behalf constitutes a general condition which unduly disadvantages the user.
7. In that context, the Federal Union brought an action for an injunction before the Landgericht Berlin (Regional Court, Berlin, Germany) against Meta Platforms Ireland based on Paragraph 3a of the Gesetz gegen den unlauteren Wettbewerb (Law against unfair competition), of 3 July 2004; (6) Paragraph 2(2), first sentence, point 11, of the Law on injunctions; and on the Bürgerliches Gesetzbuch (Civil Code). It brought that action independently of a specific infringement of a data subject’s right to the protection of his or her data and without being mandated to do so by such a person.
8. The Landgericht Berlin (Regional Court, Berlin) ruled against Meta Platforms Ireland in accordance with the form of order sought by the Federal Union. The appeal brought by Meta Platforms Ireland before the Kammergericht Berlin (Higher Regional Court, Berlin, Germany) was dismissed. Meta Platforms Ireland then brought an appeal on a point of law (Revision) before the referring court against the dismissal decision adopted by the court of appeal.
9. In that appeal, the referring court considered that the action brought by the Federal Union was well founded, in so far as Meta Platforms Ireland had infringed Paragraph 3a of the Law against unfair competition and Paragraph 2(2), first sentence, point 11, of the Law on injunctions and had used an invalid general term or condition, within the meaning of Paragraph 1 of the Law on injunctions.
10. However, that court had doubts as to the admissibility of the action brought by the Federal Union. It questioned, in particular, whether the Federal Union’s standing to bring proceedings could derive from Article 80(2) of the GDPR. It therefore addressed to the Court of Justice a question for a preliminary ruling on the interpretation of that provision.
11. In response to that question, the Court held, in its judgment in Meta Platforms Ireland, that Article 80(2) of the GDPR must be interpreted as not precluding national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data, on the basis of the infringement of the prohibition of unfair commercial practices, a breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions, where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation. (7)
12. The Court thereby defined the material scope of the representative action mechanism against the person allegedly responsible for an infringement of the laws protecting personal data, provided for in Article 80(2) of the GDPR.
13. In particular, the Court held that, for the purposes of bringing such a representative action, an entity meeting the conditions referred to in Article 80(1) of the GDPR cannot be required to carry out a prior individual identification of the person specifically concerned by data processing that is allegedly contrary to the provisions of that regulation. (8) Therefore, the designation of a category or group of persons affected by such treatment may also be sufficient for the purposes of bringing that representative action. (9)
14. The Court also held that, under Article 80(2) of the GDPR, the bringing of a representative action is also not subject to the existence of a specific infringement of the rights which a person derives from the data protection rules. (10) According to the Court, the lodging of a representative action presupposes only that the entity concerned ‘considers’ that the rights of a data subject laid down in that regulation have been infringed as a result of the processing of his or her personal data and therefore alleges the existence of data processing that is contrary to the provisions of that regulation. (11) It follows that, in order to recognise that such an entity has standing to bring proceedings under Article 80(2) of the GDPR, it is sufficient to claim that the data processing concerned is liable to affect the rights which identified or identifiable natural persons derive from that regulation, without it being necessary to prove actual harm suffered by the data subject, in a given situation, by the infringement of his or her rights. (12)
15. Although the referring court has thus already obtained guidance from the Court in order to be able to determine whether the action for an injunction brought by the Federal Union can be regarded as admissible in the light of the conditions laid down in Article 80(2) of the GDPR, it considers that there is still doubt as to the interpretation of that provision. The referring court emphasises that the Federal Union’s standing to bring proceedings depends on whether, within the meaning of the said provision, that entity claims in its action that the rights of a data subject under that regulation were infringed ‘as a result of the processing’.
16. According to the referring court, it is unclear whether that requirement relating to the material scope of Article 80(2) of the GDPR is fulfilled in the circumstances of this case.
17. That court states that the Federal Union relies, in support of its action, on the infringement of the information obligation laid down in the first sentence of Article 12(1) of the GDPR, in conjunction with Article 13(1)(c) and (e) of that regulation, relating to the purpose of the processing of data and the recipient of the personal data. According to the said court, it must be determined whether the Federal Union can therefore be regarded as invoking the infringement of rights ‘as a result of the processing’, within the meaning of Article 80(2) of the said regulation.
18. More specifically, the referring court considers, first, that it is still uncertain whether, in the present case, the infringement of the information obligation arising from the first sentence of Article 12(1) and from Article 13(1)(c) and (e) of the GDPR falls within the concept of ‘processing’, within the meaning of point 2 of Article 4 thereof, and whether that concept also encompasses situations which precede the start of the collection of personal data. (13)
19. Second, that court considers that it is not clearly established whether, in a situation such as that at issue in the main proceedings, the infringement of the information obligation occurred ‘as a result of’ the processing of personal data within the meaning of Article 80(2) of the GDPR. The said court emphasises, in that regard, that the expression ‘as a result of’ might suggest that the entity which brings a representative action must, for that action to be admissible, invoke the infringement of the rights of a data subject under that regulation which results from a data processing operation within the meaning of point 2 of Article 4 of that regulation and which is, therefore, subsequent to such an operation. (14)
20. In those circumstances, the Bundesgerichtshof (Federal Court of Justice) decided once again to stay the proceedings and to refer the following question to the Court of Justice for a preliminary ruling:
‘Is an infringement of [the rights of a data subject] “as a result of the processing” within the meaning of Article 80(2) of the GDPR asserted when a consumer protection association invokes, in support of its action, infringement of a data subject’s rights on the ground of non-compliance with the information obligations laid down in the first sentence of Article 12(1) of the GDPR, read in conjunction with Article 13(1)(c) and (e) of the GDPR, relating to the purpose of the data processing and the recipient of the personal data?’
21. Written observations have been submitted by Meta Platforms Ireland, the Federal Union, the German and Portuguese Governments and the European Commission.
22. A hearing was held on 23 November 2023, with Meta Platforms Ireland, the German Government and the Commission present.
II. Analysis
23. As I have noted above, the referring court has doubts as to whether, in the circumstances of the case, the representative action that has been brought by the Federal Union fulfils the condition laid down in Article 80(2) of the GDPR, namely that the entity that has brought that action must consider that the rights of a data subject under that regulation have been infringed ‘as a result of the processing’ of personal data.
24. In order to understand fully the context in which the referring court asks the Court for further clarification of the material scope of that provision, it must be recalled that, in support of its action, the Federal Union invokes the infringement by Meta Platforms Ireland of its obligation to provide information on the purpose and scope of the user’s consent to the processing of his or her personal data. More particularly, the subject matter of the dispute is the presentation of games in the App Center found on Meta Platforms Ireland’s Internet platform and the indication that each application is authorised to publish certain personal information of the user on his or her behalf. The Federal Union has brought that action independently of the infringement of the specific rights of a data subject and without being mandated by such a subject, in accordance with the said provision, as the Court acknowledged in its judgment in Meta Platforms Ireland. (15)
25. The differences of opinion on the question seeking to determine whether the Federal Union has standing to bring proceedings under Article 80(2) of the GDPR are now focussed on the referring court’s finding that the representative action brought by that entity does not concern whether Meta Platforms Ireland infringes a user’s data protection rights when he or she clicks on the ‘Play now’ or ‘Play game’ button in the App Center and thus possibly triggers the processing of his or her personal data. Moreover, it is common ground that the question whether the automated operations relating to a user’s personal data that take place after such a button is activated infringe that user’s data protection rights is not the purpose of the action brought by the Federal Union, either.
26. In short, the dispute is fixed on the question whether it is sufficient, for such an association to have standing to bring proceedings under Article 80(2) of the GDPR, that that association rely on the infringement of an information obligation without criticising, as such, the data processing which results from the operation consisting in clicking on the ‘Play now’ or ‘Play game’ button, when that provision requires that a data subject’s rights be infringed ‘as a result of the processing’.
27. That is why the referring court’s questions are concentrated on two elements, namely, first, the extent of the concept of ‘processing’ and, second, the meaning of the phrase ‘as a result of the processing’ contained in the said provision.
28. Thus, the referring court asks whether the obligation to communicate to the data subject, in a concise, transparent, intelligible and easily accessible form, using clear and plain language, information relating to the purpose of the personal data processing and the recipient of the personal data, which follows from the first sentence of Article 12(1) and from Article 13(1)(c) and (e) of the GDPR falls within the concept of ‘processing’ within the meaning of point 2 of Article 4 of that regulation.
29. Under point 2 of Article 4 of the said regulation, ‘processing’ means ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’.
30. It is apparent from the wording of that provision, in particular from the expression ‘any operation’, that the EU legislature intended to give the concept of ‘processing’ a broad scope. That interpretation is borne out by the non-exhaustive nature, expressed by the phrase ‘such as’, of the operations referred to in the said provision. (16) According to the Court, that is consistent with the objective of guaranteeing the effectiveness of the fundamental right of protection of natural persons with regard to the processing of personal data, referred to in recital 1 of the GDPR, which sets the tone for the application of that regulation. (17)
31. In support of the thesis according to which the information obligation resulting from the first sentence of Article 12(1) and from Article 13(1)(c) and (e) of the GDPR may fall within the concept of ‘processing’ within the meaning of point 2 of Article 4 of that regulation, the referring court notes what the Court held in its judgment of 24 February 2022, Valsts ieņēmumu dienests (Processing of personal data for tax purposes). (18)
32. In the case which gave rise to that judgment, the Valsts ieņēmumu dienests (State Tax Authority, Latvia) asked the economic operator concerned to renew the access of that tax authority’s departments to the chassis numbers of vehicles featured in an advertisement published on its website as well as to the vendors’ telephone numbers and to provide it with information on the advertisements published on that website.
33. It is in that context that the Court found that such a request, by which the tax authority of a Member State asks an economic operator to communicate and make available personal data which that operator is required to provide and make available to that authority under that Member State’s national legislation, initiates a process of ‘collection’ of those data, within the meaning of point 2 of Article 4 of the GDPR. (19) The referring court infers from this, making a comparison with the situation at issue in the main proceedings, that the concept of ‘processing’ within the meaning of that provision covers operations which simply ‘initiate’ the collection of personal data and thus operations at the stage prior to an operation that the EU legislature has expressly considered an example of processing.
34. I am of the view, however, that that situation clearly distinguishes itself from that which gave rise to the judgment of 24 February 2022, Valsts ieņēmumu dienests (Processing of personal data for tax purposes). (20) The present case does not involve attaching to a processing process an operation which enables that process to be initiated, but rather identifying the link between an information obligation, such as that which results from the first sentence of Article 12(1) and Article 13(1)(c) and (e) of the GDPR and a given processing.
35. In that regard, I consider that, as broad as it is, the scope of the concept of ‘processing’ within the meaning of point 2 of Article 4 of the GDPR cannot extend to such an information obligation. That obligation involves no direct or indirect action on personal data. The said obligation is rather a condition of lawfulness of the processing of those data.
36. It should be noted that Article 12 of that regulation sets out the general obligations incumbent on the controller as regards the transparency of information and communications, as well as the modalities for the exercise of the rights of the data subject.
37. In particular, the first sentence of Article 12(1) of the regulation provides that ‘the controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child’.
38. Article 13 of the GDPR, entitled ‘Information to be provided where personal data are collected from the data subject’, provides, in paragraph 1(c) and (e) thereof:
‘Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
…
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
…
(e) the recipients or categories of recipients of the personal data, if any …’
39. It should be recalled that the first subparagraph of Article 6(1) of the GDPR sets out an exhaustive and restrictive list of the cases in which processing of personal data can be regarded as lawful. Thus, in order that it may be regarded as such, processing must fall within one of the cases provided for in that provision. (21)
40. Under point (a) of the first subparagraph of Article 6(1) of that regulation, the processing of personal data is lawful if and to the extent that the data subject has given consent for one or more specific purposes. (22)
41. In the absence of such consent, or where that consent is not freely given, specific, informed and unambiguous, within the meaning of point 11 of Article 4 of the GDPR, and where the processing at issue does not meet one of the requirements of necessity mentioned in points (b) to (f) of the first subparagraph of Article 6(1) of that regulation, that processing is unlawful. (23)
42. As regards the requirement arising from point 11 of Article 4 of the GDPR according to which consent must be ‘informed’, that requirement implies, in accordance with Article 13 of that regulation, read in the light of recital 42 thereof, that the controller is to provide the data subject with information relating to all the circumstances surrounding the data processing, in an intelligible and easily accessible form, using clear and plain language, allowing the data subject to be aware of, inter alia, the type of data to be processed, the identity of the controller, the period and procedures for that processing and the purposes of the processing. Such information must allow the data subject easily to understand the consequences of any consent he or she might give and ensure that the consent is given with full knowledge of the facts. (24)
43. I note however that, as the referring court indicates, (25) the Federal Union takes issue with the presentation of the information supplied under the ‘Play now’ button in the App Center on the ground that it is unfair, particularly in terms of the non-compliance with the legal conditions which apply to the obtention of the user’s valid consent under the provisions governing the protection of personal data.
44. In other words, what underpins the action brought by the Federal Union is that, having regard to the defective presentation of the App Center invoked by that entity, a person is liable to click on the ‘Play now’ button without having had at his or her disposal the information necessary to allow him or her easily to understand the consequences of any consent he or she might give to the processing of his or her personal data once that button has been triggered and without ensuring that that consent is given in full knowledge of the facts.
45. In those circumstances, I am of the view that the Federal Union is asserting in its action, in accordance with what is provided for in Article 80(2) of the GDPR, that ‘the rights of a data subject under [that] regulation have been infringed as a result of the processing’.
46. First, Article 12 and Article 13 of the GDPR are both part of Chapter III of that regulation, entitled ‘Rights of the data subject’. In view of the information obligation on the controller pursuant to those articles, the rights that arise from them for the data subjects are among those which the representative action provided for in Article 80(2) of the said regulation aims to protect.
47. Second, the alleged infringement of the data subjects’ right to be sufficiently informed of all the circumstances surrounding processing of personal data, in particular the purpose of that processing and the recipient of those data, is liable to preclude the expression of ‘informed’ consent within the meaning of point 11 of Article 4 of the GDPR, which may render that treatment unlawful.
48. Therefore, it is sufficient, for the purposes of bringing a representative action under Article 80(2) of that regulation, for an entity to invoke the controller’s information obligation, specifying the processing concerned, which in the present case is that which occurs when a person clicks on the ‘Play now’ button. It must be data processing that is likely to affect the rights that identified or identifiable natural persons derive from the said regulation, (26) which implies that that processing must exist and therefore must not be purely hypothetical.
49. Moreover, it is, in my view, irrelevant that that entity invokes an infringement which precedes processing of personal data. That is the case in respect of the information obligation which must be implemented no later than at the time when the data are collected, in accordance with Article 13(1) of the GDPR.
50. Therefore, the phrase ‘as a result of the processing’ contained in Article 80(2) of that regulation in no way means that the right which the action provided for in that article seeks to have declared infringed must necessarily concern a stage subsequent to an operation constituting ‘processing’ within the meaning of point 2 of Article 4 of the said regulation. In other words, one should not read into that phrase any requirement of a temporal sequence which would imply that the infringement of the rights of a data subject provided for in the GDPR should occur at a stage following such processing.
51. What is important is rather that there be a link between respect for the rights at issue and the processing concerned. That is the case where the infringement of those rights has the effect of making that processing unlawful. The unlawfulness of the processing arises from the infringement of the information obligation. The two are inseparable.
52. It follows that the requirement according to which an entity can bring a representative action under Article 80(2) of the GDPR if it considers that the rights of a data subject provided for in that regulation have been infringed ‘as a result of the processing’ does not, in my view, require that that entity invoke the infringement of such rights which results from a data processing operation within the meaning of point 2 of Article 4 of that regulation, and which is therefore subsequent to such an operation. It is sufficient for it to note the existence of a link between the processing of personal data and the infringement of rights protected by the GDPR.
53. It is therefore irrelevant in this case that the Federal Union is invoking the infringement of an information obligation regardless of whether or not a data subject clicks on the ‘Play now’ button in the App Center, since such an obligation, in so far as it is liable to affect the conditions of lawfulness of the processing resulting from the activation of that button, is indisputably linked to that processing.
54. That interpretation is consistent not only with the preventive function of the representative action provided for in Article 80(2) of the GDPR, (27) but also, in so far as it contributes to strengthening the rights of data subjects, (28) with the objective of that regulation, in which is apparent from recital 10, consisting in ensuring within the EU a high level of protection of the fundamental rights and freedoms of natural persons with respect to the processing of personal data. (29)
55. I would add that it would, in my view, be inconsistent to adopt a restrictive interpretation of the material scope of Article 80(2) of that regulation, when Article 79(1) of the GDPR provides, in similar terms, for the right of each data subject to an effective judicial remedy and when there is no reason to exclude from the material scope of such an action the rights which arise from the information obligation laid down in the first sentence of Article 12(1) of that regulation, read in conjunction with Article 13(1)(c) and (e) thereof.
56. Consequently, I consider that Article 80(2) of the GDPR must be interpreted as meaning that the condition according to which an authorised entity, in order to be able to bring a representative action under that provision, must assert that it considers the rights of a data subject provided for in that regulation to have been infringed as a result of the processing, assumes that that entity alleges the existence of processing of personal data and of a link between the infringement of those rights and that processing. Such a condition is fulfilled where that action is based, in connection with processing of personal data, on the infringement by the controller of the information obligation laid down in the first sentence of Article 12(1) of the said regulation, read in conjunction with Article 13(1)(c) and (e) thereof, in so far as that infringement is liable to render that processing unlawful.
III. Conclusion
57. In the light of all the foregoing considerations, I propose that the Court answer the question referred for a preliminary ruling by the Bundesgerichtshof (Federal Court of Justice, Germany) as follows:
Article 80(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
must be interpreted as meaning that the condition according to which an authorised entity, in order to be able to bring a representative action under that provision, must assert that it considers the rights of a data subject provided for in that regulation to have been infringed as a result of the processing, assumes that that entity alleges the existence of processing of personal data and of a link between the infringement of those rights and that processing. Such a condition is fulfilled where that action is based, in connection with processing of personal data, on the infringement by the controller of the information obligation laid down in the first sentence of Article 12(1) of the said regulation, read in conjunction with Article 13(1)(c) and (e) thereof, in so far as that infringement is liable to render that processing unlawful.