CJEU - C‑757/22 - Meta Platforms Ireland (Representative action)

From GDPRhub
CJEU - C‑757/22 Meta Platforms Ireland (Representative action)
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 12(1) GDPR
Article 13(1)(c) GDPR
Article 13(1)(e) GDPR
Article 80(2) GDPR
Decided: 11.07.2024
Parties: Meta Platforms Ireland Ltd
Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband eV
Case Number/Name: C‑757/22 Meta Platforms Ireland (Representative action)
European Case Law Identifier: ECLI:EU:C:2024:598
Reference from: BGH (Germany)
I ZR 186/17
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: Oluwanonso, fb


The CJEU ruled that a violation of the controller’s information obligation can be subject to a representative action under Article 80(2) GDPR.

English Summary

Facts

Meta Platforms Ireland Ltd (the controller) is the provider of the social network Facebook in the EU. Facebook contains a section called “App Centre”, that allows users to access free games provided by third parties. While accessing these games, it is indicated that some personal data is collected by the third party providing the game. The user was also informed that, by using the applications concerned, they accepted the general conditions of those applications and their data protection policy.

The Federal Union of Consumer Organisations and Associations (Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband eV), a German consumer association, brought an action before the Regional Court of Berlin (Landesgericht Berlin – LG Berlin), claiming that the controller failed to comply with the legal requirements to obtain valid consent from the user under the GDPR.

The action was brought independently of a specific infringement of a data subject’s GDPR rights and without a mandate from a specific data subject. The Federal Union based its standing on national law allowing a consumer protection organization to bring proceedings on the basis of the infringement of the prohibition of unfair commercial practices (or a breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions). In this case, the Federal Union deemed that the controller had breached the above cited law by having violated data protection law.

The LG Berlin upheld the action; the controller appealed this decision before the Higher Regional Court of Berlin (Kammergericht Berlin – KG Berlin). This appeal was dismissed and the controller further appealed the judgement of KG Berlin before the Federal Court of Justice (Bundesgerichtshof – BGH).

The BGH had doubts as to the admissibility of the action brought by the Federal Union. Therefore, it referred a question to the CJEU for a preliminary ruling on the interpretation of Article 80(1), 80(2) and 84(1) GDPR. The CJEU answered these questions on 28 April 2022 with the judgement C-319/20, Meta Platforms Ireland.

However, after the CJEU judgement, the BGH still had doubts about the interpretation of Article 80(2) GDPR. More specifically, it observed that the CJEU had not ruled on the condition, laid down in this Article, according to which a consumer protection association must consider that the rights of a data subject have been infringed “as a result of the processing”.

The BGH had this doubt since the GDPR violation at stake concerns the information obligations, set by Article 12(1), 13(1)(c) and 13(1)(e) GDPR. The BGH wondered if the concept of ‘processing’, within the meaning of Article 4(2) GDPR, encompasses situations preceding the collection of such data.

Advocate General Opinion

The Advocate General (Richard De La Tour) opined that the obligation on controllers to provide information about reasons for processing personal data, legal basis for processing, and the intended recipient of personal data does not by itself amount to processing of personal data. However, where this provision is not complied with, it could lead to personal data being processed unlawfully.

Therefore, he argued that the provision of information required by Article 12(1) and 13(1) GDPR could be a condition precedent to determine the lawfulness of any subsequent processing of personal data. Where the data controller fails to comply with this prerequisite, a not-for-profit organization would have the legal standing to bring a representative action against the data controller for breach of data subject rights, even where the data subject has not expressly asked the organization to do so, and where the actual processing of the personal data is yet to take place.

The AG further opined that Article 80(2) GDPR must be interpreted in this way to safeguard the rights of the data subjects under the GDPR.

Holding

The court recalled that, as for the material scope of the mechanism set by Article 80(2) GDPR, the entity must consider that the rights of a data subject under GDPR have been infringed “as a result of the processing”. The court pointed out that it had already clarified that it is not necessary to prove the existence of a “specific infringement” of the rights of one data subject, but it is sufficient to claim that the processing of data is liable to affect the rights which identified or identifiable natural persons derive from the GDPR (see C-319/20, Meta Platforms Ireland, paras. 70 and 72).

The court also specified that Article 80(2) GDPR requires that the infringement of GDPR occurs in the course of the processing of personal data.

After that, the court analysed whether the violation of Article 12(1), 13(1)(c) and 13(1)(e) GDPR constitutes an infringement of GDPR rights “as a result of the processing” under Article 80(2) GDPR.

First of all, the court pointed out that the general aim of the GDPR, as set by Article 1 and Recital 10 GDPR, is to ensure a high level of protection of personal data. To that end, Chapters II and III GDPR set the specific requirements for the processing of personal data.

More specifically, the court observed that any processing must comply with the principles set by Article 5 GDPR. Pursuant to Article 5(1)(a) GDPR, personal data must be processed lawfully, fairly and in a transparent manner. Moreover, as for Article 5(1)(b) GDPR, the court recalled its case law stating that this provision requires that the purposes of the processing be stated clearly and identified, at the latest, when personal data are collected (see C-175/20, Valsts ieņēmumu dienests (Processing of personal data for tax purposes), paras. 64 and 65). Generally speaking, according to Article 5 GDPR the processing must satisfy specific requirements of transparency.

Article 13(1)(c) and 13(1)(e) GDPR imposes an obligation on the controller to inform the data subject of the purposes of the processing, of the legal basis for that processing and of the recipients or categories of recipients of those data. According to Article 12(1) GDPR, this information must be concise, transparent, comprehensible, easily accessible, and formulated in clear and plain language. The court noted that the obligation to provide transparent information ensures observance of the principles of transparency and fairness laid down in Article 5(1) GDPR. The court also highlighted that the controller’s obligation to provide this information is the corollary of the data subjects' right to information under Articles 12 and 13 GDPR and is, therefore, part of the rights enforceable by representative action according to Article 80(2) GDPR.

The court recalled that, according to its case law (see see C-319/20, Meta Platforms Ireland, para. 76), the mechanism set by Article 80(2) GDPR has a preventive function.

The court also noted that the infringement of information obligations can prevent the data subject from giving an “informed” consent within the meaning of Article 4(11) GDPR and, therefore, render the processing unlawful under Article 5(1)(a) GDPR. In other words, the validity of the consent given by the data subject also depends on whether that person has previously obtained the information.

On these grounds, the court held that the right of the data subject, under Article 12(1), 13(1)(c) and 13(1)(e) GDPR, to obtain from the controller, in a concise, transparent, intelligible and easily accessible form, using clear and plain language, information relating to the purpose of such processing and to the recipients of such data, constitutes a right whose infringement allows recourse to the representative action mechanism provided for in Article 80(2) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!