A competition authority may consider the compatibility of a commercial practice with the GDPR

October 4, 2022

The Advocate General has given his opinion in the case of C-252/21
| Meta Platforms and Others (General terms of use of a social network
).

Users of Facebook must accept its terms of service, which refer to Meta Platforms’ data and cookies policies. Under those terms, Meta Platforms collects data from other Meta Platforms group services, such as Instagram and WhatsApp, as well as from third-party websites and applications, via integrated interfaces or via cookies placed on the user’s computer or mobile device. In addition, Meta Platforms links those data to the Facebook account of the user concerned and uses them for various purposes including advertising.

The German Federal Competition Authority prohibited Meta Platforms from processing data in accordance with Facebook’s terms of service and from implementing those terms, and imposed measures to stop it from doing so. It found that the data processing in question, which did not comply with the GDPR, constituted an abuse of Meta Platforms’ dominant position on the social network market for private users in Germany.

Meta Platforms appealed. The German courts asked the Court of Justice whether national competition authorities may assess the compliance of data processing with the GDPR. In addition, the German court asked about the interpretation and application of certain provisions of the GDPR.

The AG took the view that, although a competition authority does not have jurisdiction to rule on an infringement of the GDPR, it may nevertheless, in exercising its own powers, take account of the compatibility of a commercial practice with the GDPR. The AG emphasised that the compliance or non-compliance of that conduct with the provisions of GDPR may, depending on the circumstances, be an important indication of whether that conduct amounts to a breach of competition rules.

However, the AG also pointed out that a competition authority can only assess compliance with the GDPR as an incidental question, without prejudice to the powers of the competent data protection authority. Therefore, the competition authority must take account of any decision or investigation by the competent supervisory authority, inform them of any relevant details and, where appropriate, consult it.

Secondly, the Advocate General believed the mere fact that the undertaking operating a social network enjoys a dominant position on the national market for online social networks for private users does not call into question the validity of the consent of the user of that network to the processing of their personal data. However, it is relevant to the assessment of the freedom of consent, which it is up to the data controller to demonstrate.

Thirdly, the Advocate General said that Meta Platforms’ practices, may fall within the justifications provided for by the GDPR for the processing of data without the consent of the data subject, provided that the elements of that practice are actually necessary for the provision of the services relating to the Facebook account. However, the Advocate General considered that, although the personalisation of content and advertising, the continuous and seamless use of the Meta Platforms group’s services, the security of the network or the improvement of the product may be in the interests of the user or the data controller, those components of the practice at issue do not appear to be necessary for the provision of the services.

Fourthly, the Advocate General noted that the prohibition on processing sensitive personal data, relating, for example, to racial or ethnic origin, health or sexual orientation of the data subject, may also relate to the data processing at issue, including user profiling.

The AG emphasised that, for the exemption to that prohibition, relating to data which the data subject has manifestly made public, to apply, the user must be fully aware that, by an explicit act, they are making personal data public. According to the Advocate General, conduct consisting of visiting websites and apps, entering data into those websites and apps and clicking on buttons integrated into them cannot, in principle, be regarded in the same way as conduct that clearly makes the user’s sensitive personal data public.