Meta suffers defeat before the ECJ – National competition authority can find an infringement of the GDPR

With the judgment of 4 July 2023 (Case C-252/21), the European Court of Justice (“ECJ”) decided that a national competition authority can refer to the General Data Protection Regulation (“GDPR”) in its examination. However, this is only permissible in order to prove the abuse of a dominant position and to enact appropriate measures. In the judgment, the ECJ also established rules on how the national competition authority has to cooperate with the data protection supervisory authority in this examination.

In addition, the ECJ has taken a position on whether particularly sensitive data is also affected when data is processed by Facebook and whether a justification under the provisions of the GDPR is possible with regard to all data collected. Lastly, the ECJ specified whether and to what extent effective consent by users is possible, taking into account Facebook’s dominant position.

A. Facts of the case

The judgment has its origins in a legal dispute between the Federal Cartel Office (Bundeskartellamt, Germany) on the one hand and Meta Platforms Inc. (formerly Facebook Inc.), Meta Platforms Ireland Ltd (“Meta” – formerly Facebook Ireland Ltd) and Facebook Deutschland GmbH on the other.

Meta is the operator of the social network Facebook. Other online services such as WhatsApp, Oculus and Instagram also belong to the Meta group.

The main basis of Facebook’s business model is financing through advertising. The advertising displayed for the respective user is individualized according to his interests, life situation and consumer behavior. For this purpose, on the one hand, the data that a user provides when registering and, on the other, other user and device-related data are collected inside and outside of Facebook and the other online services provided by the Meta Group and linked to the respective user profile.

For this data processing, Facebook relies on the user agreement concluded between the user and Facebook during registration, whereby the user must agree to the general terms of use and thus also the guideline for the use of data and cookies for registration. According to these, Meta collects user and device-related data about the user’s activity inside and outside of Facebook and assigns it to the respective user profile. Data about activities outside of Facebook itself, so-called off-Facebook data, includes on the one hand data on accessing third-party websites and on the other data on the use of other Meta Group services.

The Federal Cartel Office prohibited the company from making the use of Facebook by users living in Germany dependent on the processing of off-Facebook data and from processing this data without consent. It also obliged the companies to adjust the terms of use so that it was clear that the data in question would not be collected and linked to the user account without the user’s consent. In its decision, the Federal Cartel Office explained that the previous processing operation practice constituted an abusive exploitation of a dominant position held by the company on the market for social networks for private users within the meaning of Section 19 (1) of the German Competition Act (Gesetz gegen Wettbewerbsbeschränkungen, GWB). It claims the general terms of use are also abusive, as a result of the dominant position, because the use of the off-Facebook data is not in line with the GDPR and is also not justified under Art. 6 (1) and Art. 9 (2) GDPR.

The addressees lodged an appeal against this decision with the Düsseldorf Higher Regional Court (Oberlandesgericht, OLG). The Düsseldorf Higher Regional Court then referred the matter to the ECJ for a preliminary ruling.

B. Decision of the ECJ

The ECJ has taken the following position:

I. Decision-Making Authority of the National Competition Authority

The ECJ stated that both Art. 51 et seq. GDPR and Art. 4 (3) Treaty on European Union (“TEU”) are to be understood in such a way that the national competition authority of a Member State, when examining the abuse of a dominant position, can take into account the fact that a company’s terms of use, which relate to the processing of personal data, violate the GDPR. However, this only applies to the extent that this is necessary to prove the abuse of a dominant position.

II. Data protection supervisory authority remains competent

However, if the national competition authority makes such determinations, it will not take the place of the supervisory authorities competent under the GDPR. The sole purpose of assessing compliance with the requirements of the GDPR is to identify abuse of a dominant position and to take measures based on competition law to remedy this situation.

In principle, according to Art. 55 (1) GDPR, the competent supervisory authority is responsible for fulfilling the tasks assigned by the GDPR in the territory of the respective Member State.

Therefore, the national competition authority must cooperate closely with the competent supervisory authority.

III. Processing of special categories of personal data

Furthermore, the Düsseldorf Higher Regional Court wanted to know whether Art. 9 (1) GDPR should be interpreted as meaning that special categories of personal data were processed within the meaning of the provision, which is generally prohibited under Art. 9 (2) GDPR, if a user accesses websites or apps that relate to the categories mentioned in Art. 9 (1) GDPR and enters data there, if necessary, and Facebook processes this in such a way that the data originating from the access is collected and linked to the respective user account. Special categories of personal data in this sense include those that may reveal racial or ethnic origin, political opinions, religious beliefs or sexual orientation.

If this is the case, the referring court wanted to know whether Art. 9 (2) lit. e GDPR should then be understood to mean that a user who calls up such third-party websites or apps, enters data on these websites or apps or identifies themselves there using his Facebook login data has manifestly made these data public within the meaning of Art. 9 (2) lit. e GDPR.

The ECJ stated that processing of special categories of personal data occurs when Facebook collects data in the manner mentioned above that relates to one of the special categories from Art. 9 (1) GDPR. Subject to the exceptions provided for in Art. 9 (2) GDPR, this is generally not permitted. It is now for the national court to examine whether the data collected actually enable such information to be disclosed.

With a view to the question of whether this processing of sensitive data could be permissible in exceptional cases under Art. 9 (2) lit. e GDPR, the ECJ made it clear that the mere fact that a website which could disclose such information is accessed does not constitute obvious disclosure within the meaning of the provision. The same applies if a user enters data there or clicks on buttons, unless they have previously explicitly expressed that they want to make this data publicly accessible. In this respect, however, an individual decision made by the user with full knowledge of the facts is required. The national court is now also required to examine whether the data subjects concerned have such an opportunity.

IV. Other legal bases

Based on this, the Düsseldorf Higher Regional Court also asked whether and under what conditions the collection of other off-Facebook data by Facebook could be justified under Art. 6 (1) lit. b and lit. f GDPR because the processing is necessary for the performance of a contract or to protect the legitimate interests of the data controller or a third party.

1. Performance of a contract

In this respect, the ECJ first explained that the processing of personal data is necessary for the performance of a contract within the meaning of Art. 6 (1) lit. b GDPR if it is objectively indispensable in order to achieve a purpose that is a necessary part of the contractual service intended for the data subject. The main subject of the contract should not be able to be performed without the processing in question. The fact that the processing is mentioned in the contract or is useful for its performance is in itself irrelevant. Rather, the processing of personal data being essential for the proper performance of the contract and there being no practicable alternatives are decisive. To the extent that personalization of the content is concerned, according to the ECJ ruling, this is helpful for the user, since it enables the display of content that corresponds to their interests. However, this personalization is not necessary in order to offer a user the basic services of a social network. Such services could also be provided in their essential range of functions without personalization being present. In this respect, this is not objectively essential in order to achieve a purpose that is a necessary part of the services. In addition, the consistent and seamless use of the entire Meta product portfolio is not a viewpoint that is justified under Art. 6 (1) lit. b GDPR. There is no obligation to register for the various services offered by the Meta group in order to be able to set up a user account on Facebook. Rather, the products could be used independently. According to the ECJ, subject to review by the referring court, such processing of off-Facebook data is not necessary to enable the provision of Facebook’s services.

2. Legitimate Interests

According to the ECJ, processing is required to protect legitimate interests of the data controller or a third party within the meaning of Art. 6 (1) lit. f GDPR if three cumulative conditions are met. First, there must be a legitimate interest  in the processing of personal data, which must also be communicated to the users. Second, the processing of the data must be necessary for the realization of this legitimate interest and must take place within the limits of what is strictly necessary for the realization of the interest. Third, a weighing of the opposing interests, taking into account all relevant circumstances, must show that the interests and fundamental rights and freedoms of the users do not outweigh the legitimate interests of the data controller or a third party.

3. Consent

Lastly, the Düsseldorf Higher Regional Court had asked whether Art. 6 (1) lit. a and Art. 9 (2) lit. a GDPR should be understood in such a way that consent given by a Facebook user can be regarded as effective consent under the conditions of Art. 4 No. 11 GDPR. In particular, it asked whether such a consent can meet the criterion of being freely given if the operator of the social network holds a dominant position on the market.

According to the ECJ, a dominant position does not in principle preclude the possibility of effective consent being granted. However, it must be taken into account that this circumstance can affect the user’s freedom of choice, since the user may not be able to refuse their consent without suffering disadvantages. This imbalance also brings with it the risk of unilaterally enforcing conditions of use that are not strictly necessary. The user must have the freedom to refuse consent to certain data processing operations that are not strictly necessary for the performance of the contract without having to completely forego the use of the social network. As a result, an equivalent alternative that does not require such data processing must be offered, possibly for a reasonable fee. In order to make the extent of data processing clear to the user, it is necessary for effective consent to be given for data from the use of the social network itself on the one hand and for off-Facebook data on the other.

C. Conclusion

With the decision, the ECJ has strengthened the position of the Federal Cartel Office as the acting national competition authority vis-à-vis big companies like Meta. The Federal Cartel Office was allowed to base its decision on the requirements of the GDPR in order to justify that Meta is abusing its dominant position. In order to avoid jeopardizing the coherence of data protection law and the competence of the data protection supervisory authority, the national competition authority does not replace the supervisory authority. The national competition authority should therefore only examine violations of the GDPR in order to determine the abuse of a dominant position in the market and to take appropriate measures. When doing so, the national competition authority should cooperate with the supervisory authority and work with it loyally. It may not deviate from a decision of the supervisory authority if this conduct, or similar conduct, has already been the subject of a decision by the competent supervisory authority. In terms of a possible justification of the data processing in question under the provisions of the GDPR, while the ECJ has not made any final decisions for individual cases, it developed guidelines that are of practical relevance for all companies, not just the very big ones like Meta.