CJEU - C-757/22 - Meta Platforms

From GDPRhub
Revision as of 09:23, 23 February 2024 by Nzm (talk | contribs)
CJEU - C-757/22 Meta Platforms
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 12(1) GDPR
Article 13(1)(c) GDPR
Article 13(1)(e) GDPR
Article 80(2) GDPR
Paragraph 4, Law on injunctions against infringements of consumer law and other infringements
Decided: 25.01.2024
Parties: Meta Platforms Ireland Limited
Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.
Case Number/Name: C-757/22 Meta Platforms
European Case Law Identifier: ECLI:EU:C:2024:88
Reference from: BGH (Germany)
Language: 24 EU Languages
Original Source: AG Opinion
Initial Contributor: n/a


Advocate General Richard De La Tour opines that failure to provide information prior to the processing of personal data could lead to unlawful processing of personal data and justify a complaint by not-for-profit organizations under Article 80 GDPR.

English Summary

Facts

Meta Platforms owns the popular social networking site Facebook. Data subjects who tried to make use of Facebook's third party "App Centre" containing games in Germany were forced to accept the general terms, conditions and data protection policies of third-party gaming apps when they accessed the App Centre. This authorized the third-party apps to make posts such as score and photos, about the user on the Facebook platform.

The Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (Federal Union of German Consumer Organizations, Germany) succesfully brought a representative action under Article 80(2) GDPR at the Regional Court, Berlin seeking injunction against Meta for violation of consumer protection law. Meta appealed this decision first to the Higher Regional Court, Berlin, then to the Federal Court of Justice, which sought a preliminary reference ruling from the Court of Justice.

Holding

The Advocate General (Richard De La Tour) opined that the obligation to provide on controllers to provide information about reasons for processing personal data, legal basis for processing, and intended recipient of personal data does not by itself amount to processing of personal data. However, where this provision is not complied with, it could lead to personal data being processed unlawfully.

Therefore, he opines that the provision of information required by Article 12(1) GDPR and Article 13(1) GDPR could be a condition precedent to determine the lawfulness of any subsequent processing of personal data. Where the data controller fails to comply with this prerequisite, a not-for-profit organization would have the legal standing to bring a representative action against the data controller for breach of data subject rights, even where the data subject has not expressly asked the organization to do so, and where the actual processing of the personal data is yet to take place.

The AG further opines that Article 80(2) GDPR must be interpreted in this way to safeguard the rights of the data subjects under the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!