Europe’s highest court unblocks another GDPR lawsuit against Big Tech

- Advertisement -

The decision of the European Union’s highest court today should unblock a slew of lawsuits brought by consumer protection organizations trying to enforce the General Data Protection Regulation (GDPR) standard against tech giants like Facebook and Twitter over issues such as the correctness of data collection. informed consent to the processing of personal data.

- Advertisement -

In today’s ruling, the Court (CJEU) confirmed that consumer protection organizations can bring representation claims against violations of the block’s laws protecting people’s data under the GDPR.

- Advertisement -

The appeal to the CJEU comes from a German court in a case brought against Meta (Facebook) by the Federal Union of German Consumer Organizations and Associations (aka vzbv) regarding the ToS of some free gaming applications running on its platform that require consent. from users without giving them the opportunity to opt out of processing if they play the game.

The CJEU ruling anticipates a broader change in the EU next year when the Representation Directive comes into force in June, further expanding the ability of consumer advocacy groups to litigate on behalf of individuals whose rights they believe are are violated.

- Advertisement -

“In today’s judgment, the court concluded that the GDPR does not preclude national law that allows a consumer protection association to initiate legal proceedings in the absence of the powers granted to it for that purpose and regardless of the infringement of specific data rights. subjects against a person allegedly responsible for a violation of personal data protection laws, on the basis of a violation of the prohibition of unfair commercial practices, a violation of consumer protection law or a prohibition on the use of invalid general terms and conditions, where the relevant processing of data could affect rights that are identified or identifiable individuals follow from this rule,” the court said in a press release.

Tech giants have routinely tried to frustrate these kinds of privacy claims by arguing that national courts lack jurisdiction under the GDPR, which is meant to harmonize national laws in this area. It also contains a mechanism (single window; OSS) that routes cross-border GDPR complaints through the lead data protection agency in the EU member state where each organization has its regional headquarters (for many tech giants, that means Ireland). ).

EU legislators have included OSS to make compliance easier for businesses. But its existence has exacerbated the practice of seeking anti-consumer forums, in which corporate giants rally around “friendly” regulators, exerting pressure at the political level—say, touting local jobs and the wealth generated by their presence—to encourage oversight in line with their commercial interests. interests.

This tactic also effectively reduces the regulator’s resources by piling up complex cases.

All of this pressure can and has contributed to bottlenecks in GDPR enforcement, delays in decision-making, and even closure or even termination of investigations. And complaints about this have recently led the EU Ombudsman to launch an investigation into the European Commission’s monitoring of the application of the GDPR.

In Facebook’s case, Ireland’s oversight has resulted in the equivalent of a complete enforcement freeze, as the service has not received a single final GDPR decision since the regulation went into effect in May 2018, despite a plethora of complaints (some of which now date back almost four years). of the year).

Ireland finally produced ruling on complaint against Facebook-owned WhatsApp last year. But dozens of complaints continue to come in – and just today, European privacy rights group noyb announced that the Irish Data Protection Commission (DPC) has settled with it what it called a “gross delay” in two Facebook-related cases. owned by Instagram and WhatsApp, which he also said would see Irish taxpayers pay a legal bill of several tens of thousands of euros.

“47 months after filing the ‘consent bypass’ lawsuit, Facebook DPC has agreed to pay tens of thousands of legal fees for judicial review of delays,” noyb said in a press release. “While the GDPR requires a decision to be made “without delay”, the DPC believes that four years to prepare a draft decision is reasonable. In most EU Member States, the law requires a decision to be made within 3 to 12 months.”

noyb’s press release offers an engaging visual metaphor for forum shopping, illustrating the latest painstaking developments in the never-ending saga of regulation. with the image of a snail crawling on a pile of money. (In case it wasn’t clear, the snail is Ireland’s DPC; not pictured: Facebook keeps all the data and laughs all the way to the bank.)

This annoying GDPR compliance bottleneck continues to weaken the EU’s flagship data protection regulation, making it extremely difficult for people to exercise their rights over the most powerful technology platforms.

This, in turn, means that any opportunities that open up opportunities for new litigation against major technologies – and today’s decision – not the first such decision of the CEC are important for redressing the imbalance of power between the platform giants and individual network users. Although next year’s pan-European change – through the implementation of the Representation Directive – should unlock more action, since this legislation will not rely on the procedure in question that exists at the national level.

However, in a note to his Web site (which we translated from German), vzbv calls the CJEU’s decision a “landmark ruling”, saying it means the Federal Court is “on the train again”. The consumer group has spent years trying to sue Facebook in areas such as unfair privacy settings, while Meta’s lawyers provided a cop-out, opposing local courts with any jurisdiction to deal with issues.

In a statement, Jutta Gurkmann, board member of vzbv, added that today’s CJEU decision “puts an end to the tedious debate about the right of consumer associations to bring data protection claims.”

“It’s no secret that some European data protection authorities are not quite up to the task of dealing with the growing data collection of big technology companies,” she said, adding: “In the past, this lack of enforcement has increasingly hampered the adoption of the GDPR.

“Now it is clear: in addition to supervisory bodies, civil society organizations such as vzbv can also punish violations of the GDPR to a very large extent. vzbv has long and successfully sued Meta, Google and Co. Today’s ruling by the European Court of Justice creates legal certainty until the European Class Action Directive, which also contains such powers, comes into force this year.”

Also commenting on the CJEU’s decision in a statement, Ursula Pahl, Deputy Director General of the European Consumer Organization, BEUC, welcomed it as “good news” while highlighting the importance of the impending pan-European directive in June 2023.

“Today’s decision is good news as it highlights that consumer groups can bring class action lawsuits against companies like Meta for violating the GDPR if this procedure exists at the national level. The GDPR is the most important law protecting people’s personal data in the EU. It is critical that it be better respected and decisions like today’s will help,” she said.

“From next year, new EU rules will allow consumer groups to hold representative promotions, which will further improve the situation. After that, consumer associations across the EU will be able, if they meet certain criteria, to file injunctions or class actions for damages against companies that violate the law, including under the GDPR. Then a new era of law enforcement by consumer groups will begin.”

Credit: /

- Advertisement -

Stay on top - Get the daily news in your inbox

DMCA / Correction Notice

Recent Articles

Related Stories

Stay on top - Get the daily news in your inbox