Case Chronology

This case deals with a complex intersection of consumer protection laws, privacy rights, and the transparency of user consent in the digital age. It involved a legal battle between Meta Platforms Ireland Ltd (the parent company of Facebook for users outside the US and Canada) and the German Federal Union of Consumer Organisations and Associations (Verbraucherzentrale Bundesverband, abbreviated as VZBV), a consumer rights organisation in Germany.

The dispute came from worries about the openness of Facebook's permission procedures and data usage practices. Facebook Ireland Ltd, renamed Meta Platforms Ireland Ltd, has its headquarters in Ireland and provides services throughout the European Union. German consumer rights groups launched the complaint, arguing that Facebook's user data processing procedures violated European data protection requirements.

Meta Platforms Ireland, which manages the provision of services for the social media platform Facebook in the European Union, is the controller of personal data of Facebook users in the European Union." Facebook Germany GmbH, which has its registered office in Germany, promotes the sale of advertising space on the website www.facebook.de. The Facebook Internet platform includes, among other things, a section named 'App-Zentrum' (App Centre) at the Internet address www.facebook.de, where Meta Platforms Ireland provides users with free games created by third parties. When some of those games are accessible in the App Centre, the user gets an alert that usage of the program allows the gaming firm to receive a specified amount of personal data.

Furthermore, The Federal Union, a body which has standing to bring proceedings under Paragraph 4 of the Gesetz über Unterlassungsklagen bei Verbraucherrechts- und anderen Verstößen (Unterlassungsklagengesetz – UKlaG) (Law on injunctions against infringements of consumer law and other infringements), of 26 November 2001, (5) considers that the information provided by the games concerned in the App Center is unfair, in particular in terms of the failure to comply with the legal requirements that apply to the obtention of valid consent from the user under the provisions governing data protection. Moreover, it considers that the indication that the application is authorised to publish certain personal information of the user on his or her behalf constitutes a general condition which unduly disadvantages the user.

The Landgericht Berlin (Regional Court, Berlin) ruled against Meta Platforms Ireland in accordance with the form of order sought by the Federal Union. The appeal brought by Meta Platforms Ireland before the Kammergericht Berlin (Higher Regional Court, Berlin, Germany) was dismissed. Meta Platforms Ireland then brought an appeal on a point of law (Revision) before the referring court against the dismissal decision adopted by the court of appeal.

Judge Consideration

The Commission correctly observed in its written observations, the answer to the question referred for a preliminary ruling depends solely on the interpretation of Article 80(2) of the GDPR, since the provisions of Article 80(1) of the GDPR and of Article 84 of the GDPR are not relevant in the present case. First, the application of Article 80(1) of the GDPR presupposes that the data subject has mandated the not-for-profit body, organisation or association referred to in that provision to take on his or her behalf the legal measures provided for in Articles 77 to 79 of the GDPR. It is common ground that that is not the case in the main proceedings, since the Federal Union acts independently of any mandate from a data subject. Second, it is common ground that Article 84 of the GDPR concerns the administrative and criminal penalties applicable to infringements of that regulation, which is also not at issue in the main proceedings.

Legal Issues Arose From the Case

Infringement by Meta Platforms Ireland of the German legislation on the protection of personal data constituting, at the same time, ‘an unfair commercial practice, an infringement of a law relating to consumer protection and a breach of the prohibition of the use of invalid general terms and conditions.’ This sentence shows that the prohibition is taken seriously by the consumer association (VZBV).

Analysis

At the beginning, this case was brought to the German Court and ruled in favour of VZBV. Facebook's consent methods lacked transparency, and the company's data collecting mechanisms might be deemed unfair under consumer protection laws. Meta Platforms challenged the ruling, claiming that GDPR enforcement is primarily the responsibility of data protection authorities, such as Ireland's DPC. Furthermore, In that appeal, the referring court considered that the action brought by the Federal Union was well founded, in so far as Meta Platforms Ireland had infringed Paragraph 3a of the Law against unfair competition and Paragraph 2(2), first sentence, point 11, of the Law on injunctions and had used an invalid general term or condition, within the meaning of Paragraph 1 of the Law on injunctions.

Article 80(2) of the GDPR which stated about Member States may provide that any body, organisation or association referred to in paragraph 1 of this Article, independently of a data subject’s mandate, has the right to lodge, in that Member State, a complaint with the supervisory authority which is competent pursuant to Article 77 and to exercise the rights referred to in Articles 78 and 79 if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing.

This must be interpreted as not precluding national legislation that allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independent of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data, on the basis of the infringement of the prohibition of unfair commercial practices.

Furthermore, this case also talked about a key area of disagreement was whether Facebook's permission processes for processing user data were compliant with European data protection rules, notably the General Data Protection Regulation (GDPR). The VZBV claimed that Facebook's permission methods lacked transparency, making it impossible for consumers to comprehend how their data will be handled. They alleged that this method breached GDPR rules, specifically those relating to informed consent and transparency.

To some extent, VZBV also argued that Facebook's business model, which focused on gathering and monetising user data, was considered an unfair commercial conduct under consumer protection legislation. According to VZBV, Facebook was not adequately transparent about how user data was used for targeted advertising and marketing, resulting in an imbalance between users' rights and the company's financial interests.

Quo Vadis consumer protection & privacy

This case also drew the relationship between GDPR and national consumer protection laws. One of the larger legal issues in this case was whether national consumer protection bodies, such as the VZBV, had the legal standing to file lawsuits alleging GDPR violations, or if such enforcement was solely the responsibility of data protection authorities, such as Ireland's Data Protection Commission (DPC).

In the end, CJEU ruled that Consumer protection organisations, such as the VZBV, have the authority to file lawsuits in national courts for GDPR violations, even without a direct mandate from affected persons (Global Freedom of Expression, 2022) This verdict was significant because it allowed consumer protection groups across the EU to file lawsuits over data privacy violations, broadening the scope of GDPR enforcement beyond state data protection agencies.

GDPR intends to provide a high degree of protection for individuals' personal data, and organisations that process such data must do so in a transparent, lawful, and fair manner. Companies such as Meta Platforms must guarantee that consumers give informed and explicit agreement for their data to be used, especially when it is used for personalised advertising.

Impact of the Decision

The case also brings impact to digital platforms that must be open about how user data is collected and utilised, especially when it is monetised through advertising. This case emphasised the necessity of unambiguous consent processes and the need for digital platforms to conform their activities with GDPR guidelines.

VZBV Executive Director also stated that “It is no secret that some European data protection authorities have difficulties to combat the rampant data collection by big technology companies. In the past, the lack of enforcement has increasingly weakened the acceptance of the GDPR. Today's decision puts an end to the tiresome debate about the right of consumer organisations to take legal action to enforce data protection rights. Now it is clear: in addition to the supervisory authorities, civil society organisations such as vzbv can also sanction far-reaching violations of the GDPR. vzbv has been suing Meta, Google and Co. successfully and efficiently for a long time. Today's ECJ ruling creates legal certainty until the European Directive on Representative Actions will be transposed at the end of the year, which will also contain such a right” (Verbraucherzentrale Bundesverband – vzbv, 2022)

This case is a remarkable decision on GDPR. Reinforcing the significance of user permission and transparency in digital business models. The CJEU's decision not only clarified crucial areas of GDPR enforcement, but it also reinforced the role of consumer protection organisations in protecting individual rights. As a result, firms like Meta must carefully manage the complexity of data protection legislation in order to maintain compliance and prevent future legal difficulties.

Writer:

Faisal Hilmi

Privacy Consultant PRIVASIMU