On 28 May 2020, the German Federal Court of Justice (BGH) decided to refer a question for a preliminary ruling to the ECJ regarding Articles 80 and 84 of the General Data Protection Regulation (GDPR). The case, brought by consumer protection groups, is about the alleged violation, by the operator of a social network, of the obligation to inform users about the scope and purpose of the collection and use of their data.
The Irish-based defendant, Facebook Ireland Limited, operates the “Facebook” social network. On the internet platform of this network there is an “app center” in which the defendant makes free online games of other providers accessible to the users of its platform. In November 2012, several games were offered in this app center, for which the following information could be read under the button “Play now”: “Clicking on Play game above gives this application: your general information, your email address, about you, your status. This application may post on your behalf, including your score and more.” In one game, the notice ended with the phrase: “This application may post information on your status, photos, and more on your behalf”.
The plaintiff is the umbrella organization of the consumer centers of the Federal states. It claims, among other, that the presentation of the information under the “Play now” button in the app center is improper, including from the point of view of the legal requirements for obtaining effective data protection consent from the user. It considers itself entitled to enforce injunctive relief by bringing an action before the civil courts in accordance with the relevant German rules on unfair competition and consumer protection.
In the first instance, the district court ordered the defendant to refrain from presenting games on its website in an app center in such a way that users of the internet platform, by clicking a button such as “play game”, allow the game operator to use personal data stored there, and is authorized to transmit (post) information on behalf of the user (LG Berlin, 28 October 2014, 16 O 60/13). The defendant’s appeal was unsuccessful (Kammergericht Berlin, 22 September 2017, 5 U 155/14). The defendant has filed a second appeal with the BGH.
The question referred to the ECJ focuses on whether the criteria set out in Chapter VIII of the GDPR, in particular in Article 80(1) and (2) and in Article 84(1), conflict with national rules granting to competitors and associations, institutions and bodies authorized under national law, the right to sue before the civil courts for infringements under the GDPR regardless of the violation of specific rights of individual data subjects, and without any mandate from a data subject.
This question is controversial in the case law of the lower courts and in legal literature. Some consider that the GDPR contains a final regulation for the enforcement of the data protection provisions made in this Regulation, and that associations are therefore only authorized to bring proceedings under the conditions of Article 80 of the GDPR (which have not been met in the case at hand). According to others, the GDPR is not exhaustive, hence associations continue to be authorized to try and enforce injunctive relief in case of an alleged violation of personal data protection rules, independently of any infringement of specific rights of individual data subjects, and without the need of a mandate from a data subject.
The Court of Justice ruled in Fashion ID that the provisions of Directive 95/46/EC (the Data Protection Directive), which was in force until the General Data Protection Regulation became applicable on 25 May 2018, do not preclude associations from having legal standing. However, this decision does not indicate whether this right to bring an action remains in force under the GDPR.