BGH: Meta Platforms violates GDPR with app center for free games

Meta Platforms has violated the General Data Protection Regulation (GDPR) with its app center on Facebook for free games. After years of litigation, this has now been clarified by the highest court after the Federal Court of Justice (BGH) made a final ruling on Thursday.

The ruling is based on a lawsuit filed by the German Federation of Consumer Organizations (vzbv) in 2012, in which Meta claimed the right to pass on user data such as email addresses and other private account data to game providers without being asked. This is incompatible with Articles 12 and 13 of the GDPR, according to the BGH (case no. I ZR 186/17).

The Supreme Court justified its ruling by stating that the user was not initially informed about the type, scope and purpose of the collection and use of personal data in a generally understandable form, nor was he informed about the legal basis for the processing or the recipients of the data. The stumbling block: by clicking on "Play now", Facebook users gave the game providers permission to collect and evaluate a lot of personal data. A notice stated: "By clicking 'Play Game' above, this application will receive: Your general information, Your e-mail address, About you, Your status messages."

The BGH also considers this information to be a violation of the principle of fairness due to the withholding of essential information in accordance with Section 5 of the German Act against Unfair Competition (UWG). In view of the economic importance of personal data for internet-based business models, data protection information obligations are of central importance. Users must be informed as comprehensively as possible about the scope and implications of consent in order to be able to make an informed decision.

Scope against the data-hungry

The legal dispute also concerned whether a breach of data protection law by a service provider gives rise to claims for injunctive relief under competition law and can be pursued by consumer protection associations in civil court. The BGH considered the vzbv's action to be justified, but had doubts about its admissibility due to the association's representative function. The judges therefore turned to the European Court of Justice (ECJ) in 2019. In 2022, the CJEU initially confirmed the general standing of associations to sue for infringements of the GDPR. In July 2024, the Luxembourg judges also applied this to cases involving breaches of information obligations under the GDPR.

The First Civil Senate of the Federal Court of Justice, which is responsible for competition law, has now implemented these ECJ requirements. Accordingly, the data protection violations justify claims for injunctive relief under competition law and can be pursued by consumer protection associations before civil courts. Orders from individual data subjects are not necessary for this. It is sufficient to name a category or group of identifiable natural persons to bring an association action. Furthermore, in this case, it cannot be assumed that the plaintiff is asserting "purely hypothetical infringements". "The BGH ruling strengthens consumer protection" in everyday digital life, the vzbv is pleased to report. All too often, consumers are "helpless in the face of data-hungry providers on the internet". This is why "strong consumer protection associations with the power to sue" are needed alongside the data protection authorities. However, the latter cannot impose sanctions.

(ds)