GDPR, Meta/Facebook and Competition Law
In its ruling of March 27, 20251, the German Federal Court of Justice in Karlsruhe held that data protection violations can also be pursued through civil litigation.
The ruling confirms that Facebook Ireland Ltd. used "click-to-play terms and conditions" which stated before the game started:
"By clicking 'Play Game' above, this app will receive: Your general information (?), your email address, About You, your status updates. This app may post on your behalf, including your score and more."
and that this did not sufficiently inform users of their data protection rights, thus constituting unfair commercial practice.
The ruling affirms previous case law. The CJEU had already determined last year that competitors may also act against GDPR violations. Initially, there were doubts about whether the GDPR’s legal nature made it applicable to the German Act Against Unfair Competition (UWG) and whether such enforceability created inequality in German law. However, the CJEU now explicitly allows claims to be brought by competitors and consumer protection organizations.
The German Federal Court further inquired whether violations of data protection information duties could lead to compensation or private claims: the CJEU confirmed in 2024 that such rights may indeed be infringed through incomplete information.
Crucially, the Court noted that this was not just a formal defect but that the user, by accepting the app's conditions, effectively gave the app a "blank check" to publish unspecified content on their behalf. This contradicts the fundamental idea of the GDPR, which is to protect individual data. The way the conditions were presented made it clear that the limits of legality had been overstepped.
The BGH found the app’s design and information to be a misleading omission under Section 5a (1) UWG – a "withholding of essential information".
Interestingly, the BGH also supported the lower court’s reasoning that the vaguely worded terms constituted an unfair General Terms and Conditions (AGB), which placed the user at an unreasonable disadvantage. The Higher Regional Court (OLG) further argued that the data protection violation served as an indication of unlawfulness. The BGH strongly affirmed this in para. 94 of the ruling:
"According to the wording of the user’s consent, the game operator could advertise, on behalf of the consenting user, products of other companies (e.g. cars or even sexually suggestive products) to that user’s friends. It is obvious that this undermines minimum data protection standards and would not be permissible under any data protection law—not even Irish law."
Even though the case touches on complex legal issues that have evolved over time, the takeaway is clear: those who design opaque terms to exploit user data open themselves to legal action.
1 Ruling of the 1st Civil Senate, March 27, 2025 – I ZR 186/17 –