When it comes to data protection breaches on the Internet, individuals often seem powerless. As an association, consumer advocates have the potential to take action against Facebook & Co. The ECJ has yet to clarify whether this is permissible. An expert has already made a preliminary decision.

When it comes to whether consumer protection organizations are allowed to approach the courts in the event of data breaches by Internet companies such as Facebook and Google, the verdict in favor of consumer centers arises: expert Richard de la Toure in the European Court of Justice (ECJ), with the exception that the associations have the right to sue without exception. This is revealed from the recommendations published by ECJ. Opinions are not bound, but Luxembourg judges often follow them.

The German Federal Court of Justice (BGH) had asked the ECJ to clarify whether the provisions of the European General Data Protection Regulation (GDPR) were in conflict with such national regulation. In May 2020, BGH asked the ECJ about this.

Criticism of automatic transmission of data

According to the Federal Association of Consumer Organizations (vzbv), the lawsuit was started in 2012 after Facebook illegally enabled online game providers to collect personal data from gamers. In particular, it was about Facebook’s “App Center” design, which offers free games from third-party providers. The umbrella organization of consumer centers had criticized Facebook for violating data protection in the “App Center”.

At least in the 2012 version, users would automatically consent to transfer various data to the game operator by clicking on “Play Now”. Applications – They authorize the game operator to post “status messages, photos and more”.

BGH found a violation of the Data Protection Act

So vzbv initially won against Facebook: the network did not provide enough information on what data was transmitted and what happened to it, the Berlin Court of Appeals ruled in 2017.

The case was finally closed in federal court in May 2020. Judge Thomas Koch found that Facebook had committed a relatively clear violation of the Data Protection Act. The user remains in the dark about what is going on in his data.

However, the question remains as to whether associations such as vzbv are eligible to sue. Facebook has argued in the proceedings that only data protection officers are eligible for GDPR to punish violations. In doing so, the EU legislator wanted to create legal guarantees for companies, Facebook’s lawyer said before the BGH. National specifics were the opposite.

DSGVO does not stand in the way of German control

However, in Germany, not only supervisory authorities can take action against data protection violations: competitors, associations, institutions and chambers can prosecute without a data subject order.

The ECJ expert has now taken the position that GDPR is not an obstacle to German regulation. According to the report, EU countries may allow certain institutions to bring about collective action “to protect the collective interests of consumers” without the order of injured people.

A spokesman for the Facebook group Meta said the company would analyze the Advocate General’s latest statement. “Legal clarity on the scope and procedures of the General Data Protection Regulation is important, and we welcome the European Court of Justice to consider the issues raised in this case.”