Consumer protection associations should also be authorised to sue if only GDPR information obligations are violated
In his Opinion delivered 25. January 2024 in Case C-757/22 before the ECJ, Advocate General Jean Richard de la Tour comments on the standing of associations under Art. 80 (2) GDPR. In his opinion, in certain cases, the breach of an information obligation under Chapter 3 of the GDPR is sufficient to enable representative actions.
The background
Case C-757/22 is a renewed referral procedure from Germany by the Federal Court of Justice (BGH) in a legal dispute that has already been heard by the ECJ (Case C-319/20). In the proceedings, the Federal Association of Consumer Organizations and Consumer Associations - Federation of German Consumer Organizations (vzbv) and Meta Platforms Ireland Limited (Meta) are in dispute over allegedly unlawful data processing by Meta in the so-called App Center. If users wanted to use a certain app, they had to accept Meta's conditions of participation and privacy policy, among other things. The vzbv considers this to be a violation of the law, as it considers consent obtained in this way to be invalid. In an initial order for reference, the BGH referred questions to the ECJ regarding the admissibility and scope of standing under German law and the GDPR. However, in the opinion of the judges at the BGH, the question of whether a breach of the information obligations under Art. 13 GDPR falls within the scope of Art. 80 para. 2 GDPR remained open. According to its wording, Art. 80 para. 2 GDPR presupposes that a representative action is only admissible if an infringement of the data subject's rights has occurred "as a result of processing". The ECJ must now answer whether the breach of the duty to provide information can constitute such processing in proceedings C-757/22.
The opinion of the Advocate General
The Advocate General first clarifies that an obligation to provide information under the GDPR does not by itself constitute processing in terms of the GDPR. However, he is of the opinion that the provision of information in accordance with Art. 12 et seq. GDPR could be a prerequisite for the lawfulness of data processing under Art. 6 GDPR. As in the present case, the data processing is based on the legal basis of consent requires the transparent information of the data subjects. If so, the information requirement is already a prerequisite for lawful processing in the Advocate General's opinion. If an association complains about specific processing based on consent within the scope of the right of association action due to a breach of the information obligations, then this connection between the violated (information) rights of the data subject on the one hand and the data processing based on this is sufficient to fulfill the requirements for an action under Art. 80 para. 2 GDPR.
The Advocate General's opinion may not mean that every breach of the duty to provide information could be complained about per se under Art. 80 para. 2 GDPR. Rather, this could only apply if the data processing became unlawful as a direct result of the breach of the information obligation. However, this is expressly only the case in the context of consent.
Practical recommendation
Regardless of the outcome of the proceedings, it is already clear that the ECJ will once again specify the requirements for transparency and the protection of data subjects' rights. Not least for this reason, companies should regularly check whether the information they provide to data subjects as part of their obligations under Art. 12 et seq. GDPR as well as prior collection of consent meet the transparency requirements of the GDPR.
