The First Civil Senate of the Federal Court of Justice, which is responsible for competition law, among other things, has to decide whether a violation by the operator of a social network of the data protection obligation to inform users of this network about the scope and purpose of the collection and use of their data establishes competition law claims for injunctive relief and can be pursued by consumer protection associations through a lawsuit before the civil courts.
Facts of the case:
The defendant, Facebook Ireland Limited, based in Ireland, operates the social network “Facebook”. On the internet platform of this network, there is an “App Center” where the defendant makes online games from other providers available to the users of its platform free of charge. In november 2012, several games were offered in this App Center, where the following notices could be read under the “Play Now” button: “By clicking ‘Play Game’ above, this application will receive: Your general information, Your email address, About You, Your status updates. This application may post on your behalf, including your score and more.” For one game, the notices ended with the sentence: “This application may post status updates, photos, and more on your behalf.”
The plaintiff is the umbrella organization of the consumer protection centers of the German federal states. It objects to the presentation of the notices provided under the “Play Now” button in the App Center as unfair, particularly from the perspective of a legal breach due to a violation of statutory requirements for obtaining effective data protection consent from the user. Furthermore, it considers the final notice in one game to be a general term and condition that unduly disadvantages the user. It considers itself authorized to assert claims for injunctive relief by way of an action before the civil courts pursuant to § 8 para. 3 no. 3 UWG and § 3 para. 1 sentence 1 no. 1 UKlaG.
Previous course of proceedings:
The District Court ruled in favor of the plaintiff, ordering the defendant to cease presenting games on its website in an App Center in such a way that users of the internet platform, by pressing a button such as “Play Game”, declare that the game operator receives information about the personal data stored there via the social network operated by the defendant and is authorized to transmit (post) information on behalf of the users. The defendant's appeal was unsuccessful. With its appeal, which was admitted by the appellate court, the defendant continues to pursue its request for dismissal of the action.
The decision of the Federal Court of Justice:
The Federal Court of Justice has suspended the proceedings and referred the following question to the Court of Justice of the European Union for a preliminary ruling: whether the provisions laid down in Chapter VIII, particularly in Art. 80 para. 1 and 2, as well as Art. 84 para. 1 of Regulation (EU) 2016/679 (General Data Protection Regulation), preclude national regulations that – in addition to the intervention powers of the supervisory authorities responsible for monitoring and enforcing the Regulation and the legal remedies available to data subjects – grant competitors on the one hand, and associations, bodies, and chambers authorized under national law on the other hand, the power to take action against infringers before the civil courts for violations of the General Data Protection Regulation, irrespective of the infringement of specific rights of individual data subjects and without a mandate from a data subject. This question is controversial in the jurisprudence of the lower courts and in legal literature.
Is the GDPR a conclusive regulation for the enforcement of the data protection provisions laid down in this Regulation?
The view is held that the General Data Protection Regulation contains a conclusive regulation for the enforcement of the data protection provisions laid down in this Regulation and that therefore, associations only have standing to sue under the conditions of Art. 80 of the General Data Protection Regulation – which were not met in the present case.
Do associations have standing to sue under data protection law?
Others do not consider the regulations on legal enforcement in the General Data Protection Regulation to be exhaustive and therefore continue to deem associations authorized to enforce claims for injunctive relief for violations of data protection provisions before the civil courts, irrespective of the infringement of specific rights of individual data subjects and without a mandate from a data subject. While the Court of Justice of the European Union has already ruled that the provisions of Directive 95/46/EC (Data Protection Directive) – which was applicable until the General Data Protection Regulation came into force on May 25, 2018 – do not preclude associations from having standing to sue (judgment of July 29, 2019 – C-40/17). However, it cannot be inferred from this decision whether this standing to sue continues to exist under the General Data Protection Regulation, which replaced the Data Protection Directive.
BGH Decision of May 28, 2020 – I ZR 186/17
Lower Courts:
LG Berlin – Judgment of October 28, 2014 – 16 O 60/13
Kammergericht Berlin – Judgment of September 22, 2017 – 5 U 155/14
