CJEU - C‑319/20 - Meta Platforms Ireland Limited

From GDPRhub
CJEU - C‑319/20 Meta Platforms Ireland Limited
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 80(2) GDPR
Decided: 28.04.2022
Parties: Meta Platforms Ireland Limited
Case Number/Name: C‑319/20 Meta Platforms Ireland Limited
European Case Law Identifier: ECLI:EU:C:2022:322
Reference from: BGH (Germany)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: gauravpathak

The CJEU held that under Article 80(2) GDPR, national legislations may allow consumer protection associations to bring legal proceedings for GDPR violations. That is so even when they have not been specifically authorised for this purpose, and it is independent of the rights of data subjects.

English Summary[edit | edit source]

Facts[edit | edit source]

Meta Platforms Ireland (Meta) manages the social network Facebook in the European Union. Facebook Germany GmbH is a separate entity and “promotes the sale of advertising space on the internet address www.facebook.de”. Facebook contains a section called App Centre that allows users to access free games provided by third parties. While accessing these games, it is indicated that some personal data is shared with the gaming company, and the ability to publish data on behalf of the user is also given to the gaming company.

Federal Union of Consumer Organisations and Associations, Germany (Federal Union) initiated an action for injunction before Regional Court, Berlin (Landgericht (LG) Berlin) in Germany claiming that the information provided by the games in the App Centre is unfair, and the ability of posting information on behalf of the user is a general condition that is to the disadvantage of the user.

LG Berlin ruled against Meta, and this decision was appealed before the Higher Regional Court, Berlin (Kammergericht (KG) Berlin) which too was decided against Meta. Thereafter, Meta brought an appeal on a point of law before the Federal Court of Justice (Bundesgerichtshof (BGH), and the Court referred the following question for a preliminary ruling by the CJEU:

“Do the rules in Chapter VIII, in particular in Article 80(1) and (2) and Article 84(1), of Regulation (EU) 2016/679 1 preclude national rules which – alongside the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the Regulation and the options for legal redress for data subjects – empower, on the one hand, competitors and, on the other, associations, entities and chambers entitled under national law, to bring proceedings for breaches of Regulation (EU) 2016/679, independently of the infringement of specific rights of individual data subjects and without being mandated to do so by a data subject, against the infringer before the civil courts on the basis of the prohibition of unfair commercial practices or breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions?”

Holding[edit | edit source]

The CJEU held that interpretation of Article 80(1) GDPR and Article 84 GDPR is not necessary for answering the question raised in the present case. This is because Article 80(1) GDPR presupposes that a data subject has authorised an organisation to take legal measures on their behalf. Moreover, Article 84 GDPR deals with administrative and criminal penalties for infringements, which are not an issue in the present case. The CJEU held that it is necessary to interpret Article 80(2) GDPR, as it relates most closely to the facts of the case.

The CJEU held that Article 80(2) GDPR gives the Member States discretion with respect to its implementation and “in order for it to be possible to proceed with the representative action without a mandate provided for in that provision, Member States must make use of the option made available to them by that provision to provide in their national law for that mode of representation of data subjects.” The CJEU noted that Germany did not exercise its discretion in this regard, as the national law in the present case “already allows consumer protection associations to bring legal proceedings against the person allegedly responsible for an infringement of the laws protecting personal data”. This national law was adopted to transpose Directive 2009/22 and existed when Data Protection Directive was in force.

The CJEU, while examining the scope of Article 80(2) GDPR, held that the Federal Union was a consumer protection organisation and falls within the public interest objective of safeguarding rights of consumers. The infringement of rules relating to consumer protection might also relate to infringement of rules protecting personal data.

Secondly, the CJEU, while examining the phrase “considers that the rights of a data subject under this Regulation have been infringed as a result of the processing” that is part of Article 80(2) GDPR, held that the entity in question cannot be “required to carry out a prior individual identification of the person specifically concerned by data processing that is allegedly contrary to the provisions of the GDPR.” This is because GDPR defines personal data as those belonging to “not only an ‘identified natural person’, but also an ‘identifiable natural person’”. Moreover, a representative action can be initiated when the representative organisation “considers” an infringement to have taken place, and not only when it can prove actual harm suffered by the data subject.

The CJEU held that such an interpretation and presence of consumer protection associations strengthen the rights of data subjects, and a representative action might be better than several persons individually exercising their rights.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!