The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email: segreteria@imperialida.com

Complaints against GDPR violations

The several complaints lodged with national supervisory authorities, by international non-profits such as NoyB, La Quadrature du Net, Privacy International and others, are a practical example of the provisions of Article 80(1) of the GDPR, which allows data subjects to exercise their remedies recognized by the Regulation, by mandating not-for-profit bodies engaged in the field of personal data protection.

CJEU on “privacy” complaints by non-profit organisations

Within this framework, on April 28, 2022, the Court of Justice of the Union (CJEU) issued its judgment on Case C-319/20 concerning a reference for a preliminary ruling made by the German Federal Court (Bundesgerichtshof) in the dispute brought by the consumer association “Federal Union of Consumer Organisations and Associations” (hereinafter “Federal Union”) against Meta Platforms Ireland Limited, formerly Facebook Ireland Limited.

Preliminary questions in case C-319/20

The German referring court asked the CJEU whether the GDPR precludes a Member State from providing that a not-for-profit consumer organisation may act:

– for a data protection violation, which constitutes at the same time an unfair commercial practice, a consumer protection violation and a violation of the prohibition of the use of invalid general terms and conditions

– without having received a mandate from the data subject

– without proving the actual violation.

The Court’s answer was affirmative on all three questions.

Facts

As part of the services offered by the social network, Facebook Germany GmbH – the German subsidiary of the group – promotes advertising spaces under www.facebook.de: among these, the “App-Zentrum” (Application Centre) makes available to users free games provided by third parties. The use of the application implies the user’s acceptance of the general terms and conditions and the Privacy Policy. In this way, the game provider acquires the right to use and publish a set of user data, such as status notices, the user’s score, photos and other information.

The Federal Union, which under German consumer law is the body entitled to act on injunctions for the protection of consumers, sued the company Meta Platforms Ireland believing that the indications provided by the games in the Applications Area were “unfair” for violation of the rules on the valid consent of the data subject under the GDPR; in addition, the indication that the application is authorized to publish on behalf of the user some of his personal information would constitute a general condition that unduly penalizes the consumer, as such defected by nullity.

Legal Process

The action for an injunction under the German law against unfair competition brought by the Federal Union at first instance before the Land Court of Berlin was successful. Meta’s appeal against this decision before the Higher Regional Court of Berlin was rejected. Subsequently, the social network filed a cassation appeal against the rejection decision taken by the appellate court.
The latter court, while incidentally finding the Federal Union’s action to be well-founded, raised doubts about its admissibility (i.e., the Federal Union’s standing to bring such an action), as it could not rule out the possibility that the entry into force of the GDPR may have caused the Federal Union to lose standing, specifically, as a result of Article 80(2) of the Regulation.

Preliminary ruling

In Case C-319/20, the Bundesgerichtshof as referring court asks the CJEU for a preliminary ruling as to whether Article 80 of the GDPR does not allow a Member State to empower not-for-profit associations to take action against the infringer in the event of a violation of the GDPR:

  1. based on consumer protection law
  2. regardless of proof of such a violation
  3. in the absence of a mandate from the data subject.

In summary, the CJEU was asked whether, starting from consumer protection law, an organisation entitled to act to protect consumers under national law can enforce data subject rights under the GDPR, based on an alleged violation and even without a mandate.