In one of our previous texts (available here) we wrote about the connection between the protection of competition and protection of personal data, namely whether competition authorities may consider infringements of personal data in their investigations.
In relation thereto, below we present a text regarding a judgment of the Court of Justice of the EU (“the CJEU”) enacted on July 4, 2023, in a case pertaining to company Meta, the owner of Facebook (CJEU – C-251/21 Meta Platforms and Others v Bundeskartellamt), according to which competition authorities, while examining the abuse of dominant position, may decide on (non)compliance of activities of a business entity with provisions of the GDPR (“the Judgment”).
Circumstances of the case
Namely, company Meta (Meta Platforms Ireland), as mentioned before, provides the service of social network Facebook, while other companies within Meta group provide the services of other networks, i.e., applications (such as Instagram and WhatsApp).
Business model of this company implies, among other, personalised advertising on Facebook based on detailed analysis of activities of the users of this application and other online services provided by Meta group. Namely, the users provide their personal data upon registration on Facebook, whereas Meta also collects users’ data through other services rendered by companies from this group and through third parties’ applications, i.e., from other web locations. All these data are subsequently linked to the users’ accounts and such aggregate view of the data allows Meta to draw detailed conclusions about users’ preferences and interests.
The said data are processed by Meta based on agreement to which the users of Facebook adhere when they accept the general terms of use (which need to be accepted to use the social network concerned).
The German Federal Cartel Office (Bundeskartellamt), as competent competition authority, brought proceedings against several companies from Meta group (Meta Platforms, Meta Platforms Ireland and Facebook Deutschland) and passed a decision prohibiting the stated companies from making, through their general terms, the use of Facebook subject to the processing of their off-Facebook data, as well as from processing the data without the users’ consent, finding that such processing constitutes an abuse of dominant position of Meta company on the market of online social networks in Germany. The reason for such decision is based on principles and provisions of the GDPR and the authority concerned deems that such processing is neither founded nor justified in the light of Article 6(1) and Article 9(2) of the GDPR.
Meta brought an action against the decision before the Higher Regional Court in Düsseldorf and the latter subsequently referred to the CJEU for preliminary decision.
Findings of the Court
Following are the key statements of the Judgment.
Firstly, the CJEU took the position that, in the context of examining the abuse of dominant position of a business entity on a market, it might be necessary that a national competition authority examines whether the practice of such entity is in line with other rules, i.e., those that do not strictly refer to the protection of competition, such as the GDPR for example.
Accordingly, the CJEU established that, under the provisions of Article 51 of the GDPR and Article 4(3) of the Treaty on the EU, a national competition authority may establish that a business entity’s general terms of use and their application are not in conformity with the GDPR, when this is necessary to examine the existence of abuse of dominant position.
If a business entity’s actions, that are subject to examination by a competition authority as regards their compliance with the GDPR, were previously examined by a personal data protection authority or a court, the competition authority may not waive such decision. Namely, the respective authority shall be obliged to consider such position, however it may draw its own conclusion from the aspect of regulations on the protection of competition.
In this case, the CJEU considered and established that collection of personal data by means of interfaces, cookies or similar technologies – data on users’ visits to certain websites and applications, the linking of those data with the user’s account and the use of those data by the operator of the social network, must be regarded as processing of special categories of personal data in terms of Article 9 of the GDPR.
As a rule, such processing is prohibited, subject to derogations provided for in Article 9(2) of the GDPR.
In addition, the CJEU examined whether the processing activities performed by companies of Meta group are based on appropriate legal grounds in terms of Article 6(1) of GDPR and established that the processing related to the enforcement of the agreement concluded with users shall only be legitimate providing that it is objectively indispensable. This is the case when the main subject, i.e., aim of the agreement cannot be achieved without the processing concerned.
In relation thereto, the CJEU expressed doubt as to whether Meta meets the stated requirements and noted that, in the absence of the data subject’s consent, personalised advertising by which Facebook finances its operations cannot support legitimate interest as legal grounds for data processing in terms of the GDPR.
Finally, the CJEU found that the fact that the social network operator, as controller of personal data, holds dominant position in a market, does not prevent the users of the stated network to provide valid consent to processing of their personal data by virtue of Article 4(11) of the GDPR.
However, given that such position may influence the freedom of choice of the users and/or create a distinctive imbalance between them and the data controllers, the CJEU underlined that this is an important factor for establishing whether the consent is legally valid, in particular freely given (which is fir the controller to prove).
By Ivana Ruzicic, Partner, and Lara Maksimovic, Senior Associate, PR Legal