The CJEU has issued its long-awaited decision in the case of Case C-252/21 | Meta Platforms and Others.
Users of Facebook must accepts its terms of service, which refer to Meta Platforms’ data and cookies policies. Under those terms, Meta Platforms collects data from other Meta Platforms group services, such as Instagram and WhatsApp, as well as from third-party websites and applications, via integrated interfaces or via cookies placed on the user’s computer or mobile device. In addition, Meta Platforms links those data to the Facebook account of the user concerned and uses them for various purposes including advertising.
The German Federal Competition Authority prohibited Meta Platforms from processing data in accordance with Facebook’s terms of service and from implementing those terms, and imposed measures to stop it from doing so. It found that the data processing in question, which it said did not comply with the GDPR, constituted an abuse of Meta Platforms’ dominant position on the social network market for private users in Germany.
Meta Platforms appealed. The German courts asked the Court of Justice whether national competition authorities may assess the compliance of data processing with the GDPR. In addition, the German court asked about the interpretation and application of certain provisions of the GDPR.
The Advocate General took the view that a competition authority may consider the compatibility of a commercial practice with the GDPR, but must consider any decision or investigation by the competent data protection authority under the GDPR.
The CJEU has now ruled on the matter. It states that, in the context of the examination of an abuse of a dominant position by an undertaking, it may be necessary for the competition authority of the member state concerned also to examine whether that undertaking’s conduct complies with rules other than those relating to competition law, such as the rules in the GDPR. However, where the national competition authority identifies an infringement of the GDPR, it does not replace the supervisory authorities established by the GDPR. The sole purpose of the assessment of compliance with the GDPR is merely to establish an abuse of a dominant position and impose measures to put an end to that abuse on a legal basis derived from competition law.
To ensure the consistent application of the GDPR, the national competition authorities are required to consult and cooperate the data protection regulators. In particular, where the national competition authority says it needs to examine whether an undertaking’s conduct is consistent with the GDPR, it must ascertain whether that conduct or similar conduct has already been the subject of a decision by the competent supervisory authority or a court. If that is the case, it cannot depart from it, although it remains free to draw its own conclusions from the competition law point of view.
The Court also observed that Meta’s data processing appeared to concern special categories of data (such as racial or ethnic origin, political opinions, religious beliefs or sexual orientation). The national court would need to decide if some of the information collected may actually allow such information to be revealed, irrespective of whether that information concerns a user of that social network or any other individual.
In addition, the court confirmed that the mere fact that a user visits websites or apps that may reveal such information does not in any way mean that the user manifestly makes public their data under the GDPR. This also applies if a user enters information into such websites or apps or where they click or tap on buttons integrated into them, unless the individual has explicitly made the choice beforehand to make the data relating to them publicly accessible to an unlimited number of people.
The Court also considered the processing of non-sensitive data and whether it was permitted by the GDPR even if the data subject had not consented. It found the need for the performance of the contract to which the data subject is party may justify it if the data processing is objectively indispensable such that the main subject matter of the contract cannot be achieved if the processing in question does not occur. Although it is a matter for the national court, the Court doubted whether personalised content or the consistent and seamless use of the Meta’s own group services meet those criteria. In addition, the personalised advertising by which the online social network Facebook finances its activity, cannot justify, as a legitimate interest pursued by Meta Platforms Ireland, the processing of the data at issue.
Lastly, the Court noted that the fact that the operator of an online social network, as controller, holds a dominant position on the social network market does not in itself prevent its users from validly giving their consent under the GDPR to their data being processed. However, since the dominant position may affect the freedom of choice of those users and create a clear imbalance between them and the data controller, it constitutes an important factor in determining whether the consent was in fact validly and, in particular, freely given. This is for the operator to prove.
The EDPB has issued a statement about the decision on LinkedIn saying that “The EDPB notes that the ECJ in its judgment for C-252/21 concurs with the EDPB’s position that controllers can only rely on contract as legal basis for processing that is objectively necessary to perform the contract. The EDPB has consistently held this position in its Binding Decision of December 2022 and its Guidelines 2/2019 on contract as a legal basis”.
The Court’s comments about the competition authorities’ powers, special category of data and whether consent is valid are fairly unsurprising. The key thing of interest is the Court’s views on the legal grounds for using personal data, such as legitimate interests and the performance of a contract. In fact the Court arguably appears to attack the entire business model. These could cause Meta (and other companies) a bit of a headache.