Following the renewed question referred by the BGH regarding the scope of Art. 80 para. 2 GDPR, the ECJ ruled on July 11, 2024 in case C-757/22 on the standing of consumer protection associations. According to the court, the breach of an information obligation pursuant to Art. 12 et seq. GDPR is sufficient to enable representative actions.
The background
Case C-757/22 bases on a new referral from Germany by the Federal Court of Justice (BGH) in a legal dispute that has already been heard by the ECJ (Case C319/20-). -In the proceedings, the Federal Association of Consumer Organizations and Consumer Associations - Federation of German Consumer Organizations (vzbv) and Meta Platforms Ireland Limited (Meta) are in -dispute over allegedly unlawful data processing by Meta in the so-called App Center. If users wanted to use a certain app, they had to accept Meta's conditions of participation and privacy policy, among other things. The vzbv considers this to be a violation of the law, as it considers consent obtained in this way to be invalid. In an initial order for reference, the BGH referred questions to the ECJ regarding the admissibility and scope of standing under German law and the GDPR. However, in the opinion of the judges at the BGH, the question of whether a breach of the information obligations under Art. 13 GDPR falls within the scope of Art. 80 para. 2 GDPR remained open. According to its wording, Art. 80 para. 2 GDPR presupposes that a representative action is only admissible if an infringement of the data subject's rights has occurred "as a result of processing". In proceedings C-757/22, the ECJ now had to answer whether the breach of the duty to provide information can constitute such processing.
The opinion of the Court
The Court confirms the Advocate General's view in his Opinion that an obligation to provide information under the GDPR does not by itself constitute processing. In the opinion of the court, the provision of information in accordance with Art. 12 et seq. GDPR is, however, a prerequisite for the lawfulness of data processing under Art. 6 GDPR. If, as in the present case, the data processing is based on the legal basis of consent, then the transparent information of the data subjects is already a prerequisite for lawful processing. The duty to inform acts as the logical counterpart to the data subject's right to information, so that a breach of the duty to inform also directly results in a breach of the data subject's corresponding right to information. According to the court, processing that is carried out in breach of the data subjects' information obligations or information rights therefore results in the data subjects' rights being "infringed by processing".
The court once again emphasizes the preventive function of the right of associations to bring an action under Art. 80 para. 2 GDPR. Even if the present proceedings only clarified the question of whether a breach of information obligations in the context of data processing actually carried out with a consent requirement under Art. 6 para. 1 lit. a GDPR leads to legal standing under Art. 80 para. 2 GDPR, the court's decision should be understood to mean that associations generally have legal standing if they complain about processing in breach of information obligations under Art. 12, 13 GDPR.
Practical recommendation
Companies should check whether the information they provide as part of their obligations under Art. 12 et seq. GDPR and in the context of obtaining consent from data subjects meet the transparency requirements of the GDPR. Above all, it must be clear for what purposes the data of the data subjects are processed and on what legal basis, and who the recipients of the data are.