CONSUMER groups can take privacy cases against tech giants on behalf of citizens, the advocate general at the Court of Justice of the EU has said.
The opinion came on the back of a German case against Facebook Ireland over how the social media giant gets consent for consumer data obtained via free games in its app store.
The case comes as EU privacy chief Vera Jourova warned tech companies to stop using “legal tricks” to skirt data protection rules.
In what appears to be a sideswipe at the Irish Data Protection Commission - which processes masses of cases given many tech firms are based here - Ms Jourova said it was taking “too long” for national authorities to process alleged infringements of the EU’s 2018 general data protection regulation (GDPR).
“In my view, it does take too long to address the key questions around processing of personal data for Big Tech,” she said in a speech in Brussels on Thursday.
“Yes, I understand the lack of resources. I understand there is no pan-European procedural law to help the cross-border cases. I understand that the first cases need to be rock-solid because they will be challenged in court.
“But I want to be honest – we are in the crunch time now. Either we will all collectively show that GDPR enforcement is effective or it will have to change. And there is no way back to [a] decentralised model that was there before the GDPR. Any potential changes will go towards more centralisation.”
She made the comments as MEPs and diplomats enter the final strait of talks on a major overhaul of Big Tech regulation – the Digital Services Act and Digital Markets Act – which seeks to hand the European Commission direct control over the supervision of the largest media companies.
Thursday’s ruling means consumer groups no longer need to wait for complaints to be made before acting.
Last year, Germany’s federal court, the Bundesgerichtshof, had asked the European Court of Justice whether the German consumer group was permitted to take a case against Facebook Ireland, given that there was no specific consumer making a complaint.
The German federation of consumer organisations sought to strike down what it described as the “unfair” way Facebook obtained consent for user data provided when people hit ‘Play’ in third-party games.
Some of the games, such as Scrabble, allowed the apps to post messages and photos on users’ behalf.
The European court’s advocate general, Richard de la Tour, ruled on Thursday the GDPR is “particularly suited” to defending the collective interests of citizens by consumer groups.
“The Member States may still provide for the possibility for certain entities to bring – without a mandate from the data subjects and without there being a need to claim the existence of actual cases affecting named individuals – representative actions designed to protect the collective interests of consumers, provided that an infringement of the provisions of that regulation which are intended to confer subjective rights on data subjects is alleged,” the court said in a statement.
"That is indeed the case of the action for an injunction brought by the Federation against Facebook Ireland.”
Ms Jourova said there was “a problem with compliance culture” among companies like Google, Facebook and Whatsapp.
“I think it is high time for those companies to take protection of personal data seriously. I want to see full compliance, not legal tricks. It’s time not to hide behind small print, but tackle the challenges head on.”