The Court of Justice of the EU ("CJEU"), in the case of Meta Platforms & Ors, Case C-252/21, delivered an important decision confirming that an abuse of dominant position in digital markets can be found by a national competition authority, where there is a breach of the GDPR that leads to a breach of competition law. For example, through unlawfully processing personal data that contributes to a dominant position on that market and that may amount to an abuse of dominant position.
However, where the national competition authority identifies an infringement of the GDPR, it does not replace the Data Protection Authorities ("DPAs"). Whilst national competition authorities are empowered to examine whether a company's conduct infringes the GDPR, they must do so in the context of assessing a breach of competition law. Their purpose is to determine if the processing of personal data contributes to a breach of antitrust law, particularly in cases where it leads to a dominant market position. While they have the authority to investigate GDPR infringements, they do not replace the role of DPAs. Instead, they are expected to cooperate with DPAs, and respect their decisions to ensure the consistent application of the GDPR within the framework of competition law.
The CJEU's decision also includes some specific findings related to the lawful grounds for processing personal data by an online social network under the GDPR, for the purposes of personalised advertising, network security, product improvement, and sharing information with law enforcement agencies.
When users register with Facebook, they accept the general terms drawn up by that company, and consequently, the data and cookie policies. According to those policies, Meta collects users' on-platform and off-platform data to create profiles which it uses for personalised advertising purposes. The off-platform data consists of data concerning visits to third party webpages and apps, as well as data concerning the use of other online services belonging to the Meta Group (including Instagram and WhatsApp).
The German Federal Cartel Office prohibited, in particular, the use of the online social network by private users resident in Germany from being subject, in the general terms, to the processing of their off-platform data and those data from being processed without their valid GDPR consent. It based its decision on the fact that since that processing was not consistent with the GDPR, it constituted an abuse of Meta Platforms Ireland’s dominant position on the German market for online social networks.
Hearing an action brought against that decision, the Higher Regional Court, Düsseldorf, asked the CJEU whether national competition authorities may review whether a data processing operation complies with the requirements set out in the GDPR. In addition, the German court referred questions to the CJEU about the lawful bases under Article 6 and Article 9 of the GDPR for the online social network's processing of personal data.
(1) Can national competition authorities review whether a data processing operation complies with the GDPR?
The CJEU concluded that, in the context of the examination of an abuse of a dominant position by an undertaking, it may be necessary for the competition authority of the Member State concerned also to examine whether that undertaking’s conduct complies with rules other than those relating to competition law, such as the rules laid down by the GDPR.
However, where the national competition authority identifies an infringement of the GDPR, it does not replace the DPAs. The sole purpose of the assessment of compliance with the GDPR is merely to establish an abuse of a dominant position and impose measures to put an end to that abuse on a legal basis derived from competition law. In order to ensure the consistent application of the GDPR, the national competition authorities are required, pursuant to Article 4(3) of the Treaty on European Union, to consult and cooperate sincerely with the DPAs monitoring the application of the GDPR.
In the present case, the CJEU noted that the Federal Cartel Office had fulfilled its obligations of sincere cooperation with the national supervisory authorities concerned, and the lead supervisory authority, as it had contacted the relevant German DPAs, and the Irish DPC to notify them of the action it had taken, and they had confirmed that no investigations were ongoing at the time by those authorities in relation to facts similar to those at issue in the main proceedings, and had raised no objections to its actions.
(2) (a) Lawful Bases for processing personal data
The CJEU considered whether, in the absence of the data subject's consent, the online social network's processing of personal data (excluding any sensitive data) could be made lawful on the basis of any of the lawful bases set out in Article 6(1) of the GDPR.
In regard to the contractual necessity lawful basis under Article 6(1)(b) of the GDPR, the CJEU held that the need for the performance of the contract to which the data subject is party may justify the data processing at issue only on condition that such processing is "objectively indispensable", such that the main subject matter of the contract cannot be achieved if the processing in question does not occur. Accordingly, a high threshold applies in order to rely on contractual necessity as a lawful basis.
The CJEU stated that the fact that such processing may be referred to in the contract or may be merely useful for the performance of the contract is, in itself, irrelevant in that regard. The decisive factor for the purposes of relying on Article 6(1)(b) of the GDPR, is that the processing is essential for the proper performance of the contract concluded between the controller and the data subject.
Subject to verification by the national court, the CJEU expressed doubts as to whether the online social network's processing of personal data for the purposes of providing 'personalised content', or 'the consistent and seamless use of [its] group’s own services', are capable of fulfilling those criteria. In particular, the CJEU noted that although such personalisation is useful to the user, insofar as it enables the user, inter alia, to view content corresponding, to a large extent, to his or her interests, personalised content does not appear to be necessary in order to offer that user the services of the online social network. Those services may be provided to the user in a form that does not involve such personalisation, such that the latter is not objectively indispensable for a purpose that is integral to those services.
In regard to the legitimate interests lawful basis under Article 6(1)(f) of the GDPR, the CJEU found that the data processing at issue can be regarded as necessary for the purposes of the legitimate interests pursued by the online social network or a third party, only on the condition that the network has: informed the users from whom the data have been collected of a legitimate interest that is pursued by the data processing; that such processing is carried out only insofar as is strictly necessary for the purposes of that legitimate interest; and that it is apparent from a balancing of the opposing interests, having regard to all the relevant circumstances, that the interests or fundamental freedoms and rights of those users do not override that legitimate interest of the social network or third party.
The CJEU held, firstly, that 'personalised advertising' by which the online social network finances its activity, cannot justify, as a legitimate interest pursued by Meta Platforms Ireland, the processing of the data at issue. The CJEU noted, in particular, that the processing at issue is particularly extensive since it relates to potentially unlimited data and has a significant impact on the user, whose online activities are monitored, which may give rise to the feeling that his or her private life is being continuously monitored. Accordingly, the interests and fundamental rights of a user override the interests of the online social network in regard to such personalised advertising by which it finances its activity, and Article 6(1)(f) GDPR cannot be relied on as a lawful basis for such processing activities.
Secondly, as regards the objective of ensuring 'network security', the CJEU held that that objective, as stated in recital 49 of the GDPR, constitutes a legitimate interest capable of justifying the data processing at issue. However, the CJEU stated that the referring national court will have to ascertain whether and to what extent the collection of off-platform data is actually necessary to ensure that the internal security of that network is not compromised.
Thirdly, as regards the ‘product improvement’ objective, the CJEU held that it cannot be ruled out that the online social network's interest in improving the product or service, with a view to making it more efficient, and thus more attractive, may constitute a legitimate interest capable of justifying the data processing at issue and such processing may be necessary in order to pursue that interest. However, subject to final assessment by the referring national court, the CJEU held that it appears doubtful whether the ‘product improvement’ objective may override the interests and fundamental rights of such a user, particularly in the case where that user is a child, in light of the scale of processing at issue, and its significant impact on the user.
Fourthly, as regards the objective of 'sharing of information with law-enforcement agencies' in order to prevent, detect and prosecute criminal offences, the CJEU held that this objective is not capable, in principle, of constituting a legitimate interest pursued by the online social network, under Article 6(1)(f) GDPR. The CJEU stated that a private operator such as Meta Platforms Ireland cannot rely on such a legitimate interest, which is unrelated to its economic and commercial activity. Conversely, this objective may justify processing by such an operator where it is objectively necessary for compliance with a legal obligation to which that operator is subject.
Finally, the CJEU held that the fact that the operator of an online social network, as controller, holds a dominant position on the social network market does not, as such, prevent its users from validly giving their consent, within the meaning of Article 4(11) of the GDPR, to the processing of their personal data by that operator. However, since that dominant position is liable to affect the freedom choice of those users, who might be unable to refuse or withdraw consent without detriment, it constitutes an important factor in determining whether the consent was in fact validly and freely given. This is for the operator to prove. The CJEU held that the referring court will have to determine whether the users of the online social network have validly given their consent to the processing at issue.
(2)(b) Processing of Special Category Data & 'Manifestly made Public' exemption
The CJEU further observed that the online social network may be processing special category data under the GDPR, such as information revealing ethnic origin, political opinions, religious beliefs, or sexual orientation. It will be for the national court to assess the extent to which the data collected may allow such information to be revealed, irrespective of whether the information concerns a user of the social network or another person, and whether such processing is permissible.
However, the CJEU clarified that the exception under Article 9(1)(2)(e) of the GDPR, permitting the processing of special category data which has 'manifestly been made public,' does not apply when the data is revealed based on a user's website or app visit. In addition, the same applies where a user enters information into such websites or apps, or clicks or taps on buttons integrated into them, unless the user 'explicitly made the choice beforehand to make the data relating to him or her publicly accessible to an unlimited number of persons'.
The burden is on the online social network to demonstrate that the processing of such special category data aligns with the GDPR requirements.
This is an important judgment, both in respect of clarifying the intersection of competition and data protection law, and in respect of the lawful bases that an online social media network might rely on to legitimise its processing of personal data of users. The decision, in particular, shows the high threshold that must be met in order to rely on contractual necessity or legitimate interests as a lawful basis for processing personal data.
If you would like more information, please do not hesitate to contact any member of our Technology and Innovation Group.