“Companies are well advised to design their data protection processes to be legally compliant”

If Facebook & Co. commit data privacy violations, consumer protection associations can now also take action against them in the context of representative actions. You do not need an order from affected persons for this. This was decided by the European Court of Justice on April 28.

“This means that there are now additional players who monitor compliance with the GDPR in addition to the supervisory authorities. This increases the risks on the part of companies, which would therefore be well advised to design their data protection processes to be legally compliant. It was predictable that the European Court of Justice would make this decision. At the same time, it is to be hoped that the associations will act with a sense of proportion in the future,” says Dr. Stefan Drewes, CEO of Drewes Privacy Group.

Background: The German Federation of Consumer Organizations (vzbv) had filed an action for an injunction against Meta Platforms Ireland because it had made free third-party games available to its users, thereby violating the regulations on the protection of personal data, unfair competition and consumer protection. Although the Federal Court of Justice considered the action to be well-founded, it had doubts as to its admissibility. The European Court of Justice has now dispelled this and established that consumer protection associations can also bring collective actions against violations of the protection of personal data without being separately commissioned by data subjects.

The press release of the European Court of Justice can be found here: https://curia.europa.eu/jcms/upload/docs/application/pdf/2022-04/cp220068de.pdf