On March 27, 2025, the Federal Court of Justice (BGH) signed its press release (Number 059/2025) as follows:
”Consumer protection associations and competitors are authorized to prosecute breaches of data protection law by means of a competition law lawsuit before civil courts.”
With this notification, the BGH records decisions in several proceedings — BGH, judgments of March 27, 2025 - I ZR 186/17 as well as I ZR 222/19 and I ZR 223/19. The rulings are not really surprising because they incorporate answers from the European Court of Justice (ECJ) to questions asked by the Federal Court of Justice into German case law.
Let us therefore quickly take a step back: What are the facts behind the press release?
Right of action of consumer protection associations against data protection violations
After more than ten years, the proceedings of the Federal Association of Consumer Centres against Meta Platforms Ireland Limited (then Facebook Ireland Limited) came to an end with the decision of the Federal Court of Justice (judgment of March 27, 2025 - I ZR 186/17). It all began quite unspectacularly with a default judgment from the Berlin Regional Court dated September 9, 2013 (16 O 60/13) — back then on the old legal situation. In this, the Berlin Regional Court ruled:
“The link between the “Play game” button and the consent to unlimited data transfer proves to be misleading in accordance with Section 5 UWG, because the defendant gives the user the impression that his consent is effective when in fact this is not the case; because since the user does not know the scope of his statement, he cannot make a conscious decision about the transfer of his personal data. The requirements for effective consent in accordance with § 4a BDSG and § 13 paragraph 2 TMG are not met. By deceiving the user about the legal validity of his statement, he is also prevented from asserting his rights at least retrospectively. ”
In doing so, the district court responded to a practice on the Facebook platform in which the Facebook user sucked in via a link. “App Center” was provided, among other things, with free games from third parties. By pressing the “Play game” button, the user agreed to the transfer of various data to the third party provider, although the extent of the data transfer was only insufficiently pointed out below the button.
A lot has happened since this first (default) judgment: The default judgment was confirmed and the parties continuously brought legal action before the Federal Court of Justice (BGH), see the overview of the course of proceedings below. The Federal Court of Justice suspended the proceedings twice and referred questions to the ECJ in 2020 and 2022 on the interpretation of Article 80 of the EU General Data Protection Regulation (GDPR), which has been directly applicable in the EU member states since May 2018.
What did the ECJ decide?
1st ECJ judgment of April 28, 2022 (C-319/20)
As a result of the legal changes that have taken place since the lawsuit was filed, in particular the entry into force of the GDPR, the Federal Court of Justice had doubts as to whether the Federal Association still had legal standing and suspended the proceedings. The ECJ ruled on the question referred for a preliminary ruling that the Federal Association, as a qualified institution within the meaning of Section 4 UKlag, had legal standing in the present case. In doing so, the ECJ established the following principles:
· An association for the protection of consumer interests may meet the requirements of a Institution within the meaning of Art. 80 (1) GDPR fulfill;
· It must no specific violation of data protection rights of a data subject be presented;
· a lawsuit can without the request of a person concerned
· with the reasonsthat a Violation of the prohibition of unfair commercial practices, a Violation of a consumer protection law or a Use of ineffective general terms and conditions subpoenas, are collected,
· provided that the relevant data processing in the opinion of the association affects the data protection rights of identified or identifiable natural persons.
2nd ECJ ruling of 11 July 2024 (C-757/22)
In the subsequent judgment, the ECJ disputed the Federal Court of Justice's doubts as to whether failure to comply with the information requirements could constitute a violation of rights “as a result of processing” within the meaning of Art. 80 (2) GDPR. The ECJ based its argument in particular on recitals 10, 13, 39, 58, 60 and 142 of the GDPR, according to which
· equivalent protection in all EU Member States, including equivalent opportunities for law enforcement, is aimed at;
· any processing personal data rightfully and in good faith, i.e. above all transparent, must be successful.
For this purpose, the GDPR regulates principles for the processing of personal data and the rights of data subjects, which must be observed whenever personal data is processed. This includes the information rights of data subjects under Art. 12 et seq. of the GDPR, which in turn result in the person responsible's obligation to provide information. Accordingly, failure to provide information under Art. 80 (2) GDPR could be claimed. With regard to the specific case, the ECJ also explained that without the availability of all information, no informed and therefore effective consent could be given.
The Federal Court of Justice has now converted this into German law and ruled: Associations can prosecute data protection violations under the Unfair Competition Act (UWG) and the Injunctive Action Act (UKlag) on the basis of Article 80 (2) GDPR — specifically: According to Section 8 Paragraph 3 No. 3 UWG and Section 3 Paragraph 1 Sentence 1 No. 1 UKlag, the Federal Association of Consumer Centres has the power to act against breaches of information obligations Pursuant to Article 12 (1) sentence 1 GDPR in conjunction with Article 13 (1) (c) and (e) GDPR due to violations of the Unfair Act Competition and to sue against a consumer protection law within the meaning of Section 2 Paragraph 1 and 2 Sentence 1 No. 13 UKlag.
For a better overview, we have summarized the process for you here:
Default judgment of the Berlin Regional Court dated September 9, 2013 — 16 O 60/13
LG Berlin, judgment of 28.10.2014 — 16 O 60/13
KG, judgment of 22.09.2017 — 5 U 155/14
BGH, order of 11.04.2019 — I ZR 186/17 (suspension until ECJ referral decision in case C-40/17)
BGH, order of suspension and referral dated 28.05.2020 — I ZR 186/17
Advocate General at the ECJ, Opinion of 02.12.2021 — C-319/20
ECJ, judgment of 28.04.2022 — C-319/20
BGH, order of suspension and referral dated 10.11.2022 — I ZR 186/17
Advocate General at the ECJ, Opinion of 25.01.2024 — C-757/22
ECJ, judgment of 11.07.2024 — C-757/22
BGH, judgment of March 27, 2025 - I ZR 186/17
Our continued contribution to competitors' right of action against data breaches will follow...
