5(1) of the GDPR, specifically the obligation to implement appropriate technical and organizational measures, constitutes a serious breach of the GDPR. The ECJ emphasized that this obligation is not merely a technical requirement but a fundamental principle of data protection. The ECJ’s decision highlights the importance of robust data protection measures and the need for controllers to take proactive steps to ensure compliance with the GDPR.
The Federation of German Consumer Organizations (Verbraucherzentrale Bundesverband โ โVZBVโ), brought an action before the Regional Court of Berlin (Landgericht Berlin), claiming that the information provided to users by the games in the App Center was unfair, particularly in relation to the failure to obtain valid consent from users in compliance with data protection law. It further argued that the information by means of which the applications were given permission to publish certain personal information on behalf of users constituted a general condition which unduly disadvantaged those users. The Landgericht Berlin upheld the action and Meta appealed this decision before the Higher Regional Court of Berlin. This appeal was dismissed and Meta then further appealed to the Federal Court of Justice. The Federal Court of Justice did not rule out the possibility that the VZBV might have lost its prior right of action during the proceedings following the entry into force of the GDPR. As a result, the German Federal Court of Justice temporarily suspended the proceedings and referred a question to the ECJ for a preliminary ruling on the interpretation of Article 80 (1) and (2) and Article 84 (1) GDPR. In its judgment of 28 April 2022 (Meta Platforms Ireland C-319/20), the ECJ ruled that Article 80 (2) GDPR must be interpreted as not precluding a national provision that allows an association to bring an action to protect consumer interests due to a violation of personal data protection through unfair commercial practices or the use of ineffective general terms and conditions, provided that the data processing in question may affect the rights of natural persons under the GDPR.
However, the judgment did not address whether a violation of the information obligation under Article 12 (1), first sentence, and Article 13 (1)(c) and (e) GDPR constitutes a breach โas a result of processingโ within the meaning of Article 80 (2) GDPR. Consequently, the German Federal Court of Justice has once again suspended the proceedings and referred this specific question to the ECJ for clarification. Decision The ECJ held that where processing of personal data is carried out in breach of the data subjectโs right to information under Articles 12 and 13 GDPR, the infringement of that right to information must be regarded as an infringement of the data subjectโs rights โas a result of the processingโ, within the meaning of Article 80(2) GDPR. The ECJ further held that it therefore follows that the right of the data subject, under the first sentence of Article 12(1) and Article 13(1)(c) and (e) GDPR, to obtain from the controller, in a concise, transparent, intelligible and easily accessible form, using clear and plain language, information relating to processing, constitutes a right whose infringement allows recourse to the representative action mechanism provided for in Article 80(2) GDPR.
Practical note This ruling by the ECJ will have significant implications for controllers in practice. Data protection notices, such as publicly accessible notices on websites, will be open to scrutiny by consumer protection associations such as the VZBV. There has been an increase in recent years of both consumer and privacy associations scrutinizing potential violations of data protection requirements, with the VZBV, for example, initiating numerous cases before the German courts โ particularly recent actions relating to the use of cookies. In a recently published statement, the VZBV has supported the ECJ judgement, stating that the โruling sends a positive signal to consumersโ.
* The European Court of Justice (ECJ) has ruled that companies must provide clear and concise data protection notices to their customers. * This ruling has implications for German data protection supervisory authorities, who may face increased scrutiny and potential enforcement actions. * The ECJ ruling could lead to consumer protection associations (CPAs) taking legal action against companies for inadequate data protection measures.
[View source.]
news is a contributor at gdprIQ. We are committed to providing well-researched, accurate, and valuable content to our readers.
