Meta Platforms Ireland (formerly Facebook Ireland Ltd) is the controller of the personal data of users of its social network in the EU. On the German Facebook platform, there is an area called “App-Zentrum” (“App Centre”) on which Meta makes third-party games available to users for free. Users browsing these games are informed that use of the app allows the third-party gaming companies access to a certain amount of personal data and gives them permission to publish data, such as the user’s gaming score, on behalf of that user. By using the app, the user accepts its general terms and conditions and data protection policy. Further, the user is informed that the app has permission to post photos and other information on the user’s behalf in relation to specific games.

The German Federal Union of Consumer Organisations and Associations considered that the information provided in the App Centre was unfair and issued proceedings in the German courts against Meta. The action was brought independently of a specific infringement of any particular data subject’s rights and without a mandate from a data subject.

At first instance, the German court found in favour of the German Union, and Meta’s first appeal was dismissed. Meta appealed to the German Federal Court of Justice, which asked the CJEU whether the GDPR precludes national rules from allowing consumer organisations to bring proceedings for breaches of the GDPR independently of the infringement of the rights of specific individuals and without a data subject’s mandate.

The CJEU found that Article 80(2) of the GDPR, which covers the representation of data subjects, does not preclude a consumer protection association from bringing legal proceedings against the body allegedly responsible for an infringement of data protection laws, in the absence of a mandate granted to it for that purpose and independently of the infringement of rights of any specific data subjects, on the basis of unfair commercial practices law, a breach of consumer protection law or laws banning the use of invalid general terms and conditions. Such proceedings can be brought where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from those laws. (Case C-319/20 Meta Platforms Ireland Ltd v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. EU:C:2022:322) — to read the judgment in full, click here).