The Court of Justice of the European Union has ruled in Meta Platforms Ireland Ltd v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband eV (Case C-757/22). It considered if a consumer protection association has standing under Article 80(2) of the GDPR.
Meta Platforms Ireland manages Facebook and is the controller of users’ personal data in the EU. Its German website has an “App-Zentrum”’ (App Centre) where users can access free third party games. They are informed that if they use a game, the gaming company obtains personal data and it may publish data on that user’s behalf. The user accepts its general terms and conditions and data protection policy. For certain games, the user is informed that the application has permission to post photos and other information on the user’s behalf.
A German consumer association considered that the information provided by the games concerned in the App Centre was unfair. As a body with standing to bring proceedings regarding consumer protection legislation, they sought an injunction against Meta Platforms Ireland. The German courts had doubts about the admissibility of the action and referred it to the CJEU.
The CJEU found that Article 80(2) of the GDPR does not prevent a consumer protection association from being able to bring legal proceedings, even if it does not have a mandate for that purpose and independently of the infringement of the specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data, on the basis of the infringement of the prohibition of unfair commercial practices, a breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions. Such an action is possible where the data processing concerned is liable to affect the rights granted under the GDPR.
It said that although the GDPR seeks to harmonise national data protection laws, Article 80(2) gives member states a discretion regarding its implementation if they exercise their discretion in compliance with the GDPR and do not undermine its content and objectives.
Article 80(2) provides that standing to bring proceedings is conferred on a body, organisation or association which meets the criteria in the GDPR, and this may well include a consumer protection association. The consumer protection association must consider that a data subject’s rights under the GDPR have been infringed by the processing of his or her personal data.
Bringing a representative action does not require the consumer association to specifically identify a person who has been affected by data processing contrary to the GDPR. Designating a category or group of people affected may be enough.
Bringing such an action does not require a specific infringement of GDPR rights. For an entity to have standing to bring proceedings, it is sufficient that the data processing concerned is liable to affect GDPR rights, and there is no need to prove actual harm to the data subject. Giving consumer protection associations the right to bring actions helps to improve data subjects’ rights and to provide a high level of protection.
Finally, the Court said that infringing data protection laws could also infringe consumer protection law or be unfair commercial practices. The GDPR allows member states to authorise consumer protection associations to act against infringements of the rights under the GDPR through consumer protection law.