The First Civil Senate of the Federal Court of Justice, which is responsible inter alia for competition law, has to decide whether a breach by the operator of a social network of the obligation under data protection law to inform the users of this network about the scope and purpose of the collection and use of their data gives rise to claims for injunctive relief under competition law and can be pursued by consumer protection associations through an action before the civil courts.
Facts:
The defendant, Facebook Ireland Limited, which is domiciled in Ireland, operates the social network "Facebook". On the internet platform of this network there is an "App Centre" in which the defendant makes online games of other providers accessible to the users of its platform free of charge. In November 2012, several games were offered in this app centre, for which the following instructions could be read under the button "Play immediately": "By clicking on 'Play game' above, this application receives: Your general information, Your email address, About you, Your status messages. This application may post on your behalf, including your score and more." For one game, the instructions ended with the sentence: "This application may post status messages, photos and more on your behalf."
The plaintiff is the umbrella organisation of the consumer centres of the federal states. It objects to the presentation of the information given under the button "Play now" in the app centre as unfair, inter alia, from the point of view of a breach of law due to a violation of legal requirements for obtaining an effective consent of the user under data protection law. Furthermore, the court considers the final notice in a game to be a general business condition that unreasonably disadvantages the user. He considers himself authorised to assert claims for injunctive relief by way of an action before the civil courts pursuant to section 8 para. 3 no. 3 UWG and section 3 para. 1 sentence 1 no. 1 UKlaG.
Process history so far:
The Regional Court ordered the defendant, as requested, to refrain from presenting games on its website in an app centre in such a way that users of the internet platform, by pressing a button such as "Play game", make the declaration that the operator of the game receives information about the personal data stored there via the social network operated by the defendant and is authorised to transmit (post) information on behalf of the users. The defendant's appeal was unsuccessful. With its appeal, which was allowed by the Court of Appeal, the defendant continues to pursue its motion to dismiss the action.
The decision of the Federal Supreme Court:
The Federal Court of Justice stayed the proceedings and referred the question to the Court of Justice of the European Union for a preliminary ruling as to whether the provisions set out in Chapter VIII, in particular in Articles 80(1) and (2) and 84(1), of Regulation (EU) 2016/679 (the General Data Protection Regulation) preclude national rules which - in addition to powers of intervention of the supervisory authorities responsible for monitoring and enforcing the regulation and legal remedies for the data subjects - are not in conformity with the general data protection law. 1 of Regulation (EU) 2016/679 (the General Data Protection Regulation) preclude national rules which - in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the Regulation and the legal remedies available to data subjects - grant, on the one hand, competitors and, on the other hand, associations, bodies and chambers authorised under national law, the power to bring proceedings against the infringer by way of an action before the civil courts for infringements of the General Data Protection Regulation, irrespective of the infringement of specific rights of individual data subjects and without the mandate of a data subject. This question is controversial in the case law of the courts of instance and in the legal literature.
Is the GDPR a final regulation for the enforcement of the data protection provisions made in this regulation?
It is argued that the General Data Protection Regulation contains a final regulation for the enforcement of the provisions of data protection law made in this regulation and that a right of action of associations therefore only exists under the conditions of Art. 80 of the General Data Protection Regulation - which were not fulfilled in the dispute.
Are associations subject to legal action in data protection law?
Others do not consider the provisions made in the General Data Protection Regulation for the enforcement of rights to be conclusive and associations therefore continue to be authorised to enforce claims for injunctive relief due to the infringement of provisions under data protection law by way of action before the civil courts, irrespective of the infringement of specific rights of individual data subjects and without a mandate from a data subject. The Court of Justice of the European Union has already ruled that the provisions of Directive 95/46/EC (Data Protection Directive) - applicable until the entry into force of the General Data Protection Regulation on 25 May 2018 - do not preclude associations from bringing an action (judgment of 29 July 2019 - C-40/17). However, it is not clear from this decision whether this right of action continues to exist under the General Data Protection Regulation, which has replaced the Data Protection Directive.
Decision of the BGH of 28 May 2020 - I ZR 186/17
Lower courts:
Berlin Regional Court - Judgment of 28 October 2014 - 16 O 60/13
Kammergericht Berlin - Judgment of 22 September 2017 - 5 U 155/14
