Consumer associations, future defenders of personal data against platforms?
The Court of Justice of the European Union (CJEU) clarified the rights of consumer associations in the defense of personal data in a judgment given on April 28. It decided that the Federal Union of Central and Consumer Associations – a German association – could take legal action against Meta (formerly Facebook) for violating rules related to personal data, consumer protection and the fight against competition.
Appropriate association?
It was the German Federal Court of Justice that put a question to the European judge. He wondered if there was still an association to protect consumer interests – since the General Data Protection Regulation (GDPR) came into force – with the power to take an action before the courts on his behalf.
In fact, the Federal Union of Central and Consumer Associations accused Meta of violating Facebook users’ personal data. The social network offers users free games provided by third parties through a dedicated space. Their use implies the authorization of the editor of the application to collect certain personal data of the user and authorize him to run publications in his name, such as his score.
According to the association, these indications are unfair because the user’s consent was not validly collected. In addition, he considered that the application constituted a statement authorizing the disclosure of information “A common condition that harms the user unnecessarily“
An interpretation consistent with the spirit of the GDPR
The CJEU responds that the GDPR does not prohibit a national regulation from allowing a consumer association to take legal action on its behalf for a personal data breach. In fact, considering that it comes under the concept “Organizations that stand for actingr” within the meaning of the GDPR.”Such an interpretation is consistent with the objective pursued. which is specifically constituted by this text “To ensure a high level of data protection“Personal,” she concludes.
This European decision is important because it opens a path for associations that, since GDPR came into effect, have seen their claims blocked. On the other hand, its scope should vary because the associations do not have the same importance depending on the European country. Furthermore, depending on their budget, it is not necessarily appropriate to attack large companies that have almost unlimited means.
