Update Data Protection No. 150
Meta suffers defeat before the ECJ – National competition authority can find an infringement of the GDPR
With the judgment of 4 July 2023 (Case C-252/21), the European Court of Justice (“ECJ”) decided that a national competition authority can refer to the General Data Protection Regulation (“GDPR”) in its examination. However, this is only permissible in order to prove the abuse of a dominant position and to enact appropriate measures. In the judgment, the ECJ also established rules on how the national competition authority has to cooperate with the data protection supervisory authority in this examination.
In addition, the ECJ has taken a position on whether particularly sensitive data is also affected when data is processed by Facebook and whether a justification under the provisions of the GDPR is possible with regard to all data collected. Lastly, the ECJ specified whether and to what extent effective consent by users is possible, taking into account Facebook’s dominant position.
A. Facts of the case
The judgment has its origins in a legal dispute between the Federal Cartel Office (Bundeskartellamt, Germany) on the one hand and Meta Platforms Inc. (formerly Facebook Inc.), Meta Platforms Ireland Ltd (“Meta” – formerly Facebook Ireland Ltd) and Facebook Deutschland GmbH on the other.
Meta is the operator of the social network Facebook. Other online services such as WhatsApp, Oculus and Instagram also belong to the Meta group.
The main basis of Facebook’s business model is financing through advertising. The advertising displayed for the respective user is individualized according to his interests, life situation and consumer behavior. For this purpose, on the one hand, the data that a user provides when registering and, on the other, other user and device-related data are collected inside and outside of Facebook and the other online services provided by the Meta Group and linked to the respective user profile.
The addressees lodged an appeal against this decision with the Düsseldorf Higher Regional Court (Oberlandesgericht, OLG). The Düsseldorf Higher Regional Court then referred the matter to the ECJ for a preliminary ruling.
B. Decision of the ECJ
The ECJ has taken the following position:
I. Decision-Making Authority of the National Competition Authority
II. Data protection supervisory authority remains competent
However, if the national competition authority makes such determinations, it will not take the place of the supervisory authorities competent under the GDPR. The sole purpose of assessing compliance with the requirements of the GDPR is to identify abuse of a dominant position and to take measures based on competition law to remedy this situation.
In principle, according to Art. 55 (1) GDPR, the competent supervisory authority is responsible for fulfilling the tasks assigned by the GDPR in the territory of the respective Member State.
Therefore, the national competition authority must cooperate closely with the competent supervisory authority.
III. Processing of special categories of personal data
Furthermore, the Düsseldorf Higher Regional Court wanted to know whether Art. 9 (1) GDPR should be interpreted as meaning that special categories of personal data were processed within the meaning of the provision, which is generally prohibited under Art. 9 (2) GDPR, if a user accesses websites or apps that relate to the categories mentioned in Art. 9 (1) GDPR and enters data there, if necessary, and Facebook processes this in such a way that the data originating from the access is collected and linked to the respective user account. Special categories of personal data in this sense include those that may reveal racial or ethnic origin, political opinions, religious beliefs or sexual orientation.
If this is the case, the referring court wanted to know whether Art. 9 (2) lit. e GDPR should then be understood to mean that a user who calls up such third-party websites or apps, enters data on these websites or apps or identifies themselves there using his Facebook login data has manifestly made these data public within the meaning of Art. 9 (2) lit. e GDPR.
The ECJ stated that processing of special categories of personal data occurs when Facebook collects data in the manner mentioned above that relates to one of the special categories from Art. 9 (1) GDPR. Subject to the exceptions provided for in Art. 9 (2) GDPR, this is generally not permitted. It is now for the national court to examine whether the data collected actually enable such information to be disclosed.
With a view to the question of whether this processing of sensitive data could be permissible in exceptional cases under Art. 9 (2) lit. e GDPR, the ECJ made it clear that the mere fact that a website which could disclose such information is accessed does not constitute obvious disclosure within the meaning of the provision. The same applies if a user enters data there or clicks on buttons, unless they have previously explicitly expressed that they want to make this data publicly accessible. In this respect, however, an individual decision made by the user with full knowledge of the facts is required. The national court is now also required to examine whether the data subjects concerned have such an opportunity.
IV. Other legal bases
Based on this, the Düsseldorf Higher Regional Court also asked whether and under what conditions the collection of other off-Facebook data by Facebook could be justified under Art. 6 (1) lit. b and lit. f GDPR because the processing is necessary for the performance of a contract or to protect the legitimate interests of the data controller or a third party.
1. Performance of a contract
In this respect, the ECJ first explained that the processing of personal data is necessary for the performance of a contract within the meaning of Art. 6 (1) lit. b GDPR if it is objectively indispensable in order to achieve a purpose that is a necessary part of the contractual service intended for the data subject. The main subject of the contract should not be able to be performed without the processing in question. The fact that the processing is mentioned in the contract or is useful for its performance is in itself irrelevant. Rather, the processing of personal data being essential for the proper performance of the contract and there being no practicable alternatives are decisive. To the extent that personalization of the content is concerned, according to the ECJ ruling, this is helpful for the user, since it enables the display of content that corresponds to their interests. However, this personalization is not necessary in order to offer a user the basic services of a social network. Such services could also be provided in their essential range of functions without personalization being present. In this respect, this is not objectively essential in order to achieve a purpose that is a necessary part of the services. In addition, the consistent and seamless use of the entire Meta product portfolio is not a viewpoint that is justified under Art. 6 (1) lit. b GDPR. There is no obligation to register for the various services offered by the Meta group in order to be able to set up a user account on Facebook. Rather, the products could be used independently. According to the ECJ, subject to review by the referring court, such processing of off-Facebook data is not necessary to enable the provision of Facebook’s services.
2. Legitimate Interests
According to the ECJ, processing is required to protect legitimate interests of the data controller or a third party within the meaning of Art. 6 (1) lit. f GDPR if three cumulative conditions are met. First, there must be a legitimate interest in the processing of personal data, which must also be communicated to the users. Second, the processing of the data must be necessary for the realization of this legitimate interest and must take place within the limits of what is strictly necessary for the realization of the interest. Third, a weighing of the opposing interests, taking into account all relevant circumstances, must show that the interests and fundamental rights and freedoms of the users do not outweigh the legitimate interests of the data controller or a third party.
Lastly, the Düsseldorf Higher Regional Court had asked whether Art. 6 (1) lit. a and Art. 9 (2) lit. a GDPR should be understood in such a way that consent given by a Facebook user can be regarded as effective consent under the conditions of Art. 4 No. 11 GDPR. In particular, it asked whether such a consent can meet the criterion of being freely given if the operator of the social network holds a dominant position on the market.
According to the ECJ, a dominant position does not in principle preclude the possibility of effective consent being granted. However, it must be taken into account that this circumstance can affect the user’s freedom of choice, since the user may not be able to refuse their consent without suffering disadvantages. This imbalance also brings with it the risk of unilaterally enforcing conditions of use that are not strictly necessary. The user must have the freedom to refuse consent to certain data processing operations that are not strictly necessary for the performance of the contract without having to completely forego the use of the social network. As a result, an equivalent alternative that does not require such data processing must be offered, possibly for a reasonable fee. In order to make the extent of data processing clear to the user, it is necessary for effective consent to be given for data from the use of the social network itself on the one hand and for off-Facebook data on the other.
With the decision, the ECJ has strengthened the position of the Federal Cartel Office as the acting national competition authority vis-à-vis big companies like Meta. The Federal Cartel Office was allowed to base its decision on the requirements of the GDPR in order to justify that Meta is abusing its dominant position. In order to avoid jeopardizing the coherence of data protection law and the competence of the data protection supervisory authority, the national competition authority does not replace the supervisory authority. The national competition authority should therefore only examine violations of the GDPR in order to determine the abuse of a dominant position in the market and to take appropriate measures. When doing so, the national competition authority should cooperate with the supervisory authority and work with it loyally. It may not deviate from a decision of the supervisory authority if this conduct, or similar conduct, has already been the subject of a decision by the competent supervisory authority. In terms of a possible justification of the data processing in question under the provisions of the GDPR, while the ECJ has not made any final decisions for individual cases, it developed guidelines that are of practical relevance for all companies, not just the very big ones like Meta.