Play now, sue now – even for Consumer Protection Associations?
Once again, Facebook finds itself at the center of a groundbreaking question at the interface between data protection law and competition law: Are Consumer Protection Associations allowed to invoke unfair conduct in the event of data protection violations and take legal action against the social network instead of the relevant users? The European Court of Justice will hear the dispute surrounding Farmville and Candy Crush soon, since the German Federal Court of Justice has referred the question for a preliminary ruling to clarify the relationship between GDPR, the Unfair Competition Act (UWG), and the Injunctions Act (UKlaG).
In 2012, users were able to play the little colorful flashing games, for which Facebook cooperates with third-party online game providers for free via the social network’s app center. By clicking the “Play Now” button, users automatically agreed to their data being transferred to the game provider, which allowed it, among other things, to post “status messages, photos, and more” on the user’s Facebook profile on their behalf. The German Consumer Protection Associations considered this a clear data protection violation and sued for injunction for unfair trading. The Regional Court of Berlinand the Court of Appeal ruled that the button did not meet the strict information requirements for consent. The case is now pending at the Federal Supreme Court and the competent Competition Senate has already hinted that it sees a data protection violation, but has reservations about the plaintiff’s capacity to sue. A lot is therefore at stake for the German Consumer Protection Associations which have already conducted eight cases against Facebook since 2009.
The decisive factor will be whether the GDPR, which has been in force since May 2018, entitles solely the data subjects and the data protection authorities to prosecute data protection violations. That question is somewhat controversial. Some see the GDPR and Article 80 in particular as a final provision, meaning that associations are only entitled to take legal action if they have been commissioned by a specific data subject to pursue data protection violations. Both the Unfair Competition Act and the Injunctions Act on the other hand, grant the Consumer Protection Associations an independent right of action irrespective of the specific rights of data subjects. The Consumer Protection Associations argue that data subjects are frequently not in a position to effectively enforce mass data protection violations by large companies.
In 2019, the European Court of Justice has already ruled in the case relating to the Facebook “Like” button that the provisions of the former European Data Protection Directive do not conflict with an associations’ capacity to sue. It therefore remains to be seen whether this also applies under the GDPR and whether Consumer Protection Associations may continue to take legal action against Facebook and alike.