On 4 July 2023, the Court of Justice of the European Union (“CJEU”) delivered judgment in Case C-252/21 Meta Platforms and Others v German Federal Cartel Office, finding that national competition authorities are allowed to investigate and issue sanctions for a Company’s non-compliance with the General Data Protection Regulation (“GDPR”).
Also, in respect of combining personalised processing of user data, the CJEU imposed limitations on the interpretation of performance of contract and legitimate interests legal bases. In doing so, the ruling suggests that user consent is the only appropriate lawful basis.
Background
This case follows an appeal by Meta Platforms Ireland (“Meta”) against a 2019 ruling by the German Federal Cartel Office (“GFCO”), concerning Facebook’s European operations. The GFCO investigation focused on personal data used by Meta for personalised advertising aimed at Facebook users. As part of the Facebook registration process, Meta’s terms included information on personalised advertising. Users were required to agree to these terms. However, the GFCO argued that given the popularity of Facebook as a leading social network, users essentially had no real choice but to agree.
The GFCO’s ruling subsequently prohibited Meta from processing “off-Facebook data” of German users without their explicit consent (“off-Facebook data” refers to data collected by Meta from websites and applications outside of Facebook). The GFCO’s decision was based on the argument that Meta’s processing of personal data for personalised advertising was inconsistent with the GDPR, and, therefore an abuse of Meta’s dominant market position in Germany’s online social network market.
Following the 2019 ruling, Meta lodged an appeal with the German Düsseldorf Higher Regional Court, which subsequently made a preliminary reference to the CJEU. It asked for clarification as to whether national competition authorities were permitted to assess GDPR compliance and requested guidance on the application of specific GDPR provisions to a social network’s processing activities (specifically the appropriate legal bases for personalised advertising).
Competition Authorities Can Consider GDPR Compliance in Investigations
The CJEU said competition authorities may need to consider GDPR compliance when deciding whether or not a company has abused a dominant market position. The CJEU clarified that this only applies where GDPR compliance is crucial to determine whether a company has abused its dominant market position.
The CJEU clarified the roles of data protection authorities and competition authorities when investigating GDPR compliance. While competition authorities can consider a company’s non-compliance with the GDPR, they are not replacing the role of data protection authorities. Even where competition authorities identify non-compliance with the GDPR, they can only issue enforcement within the remit of competition law; data protection authorities remain responsible for enforcing the GDPR.
To avoid undermining the role of data protection authorities, where a competition authority is investigating GDPR compliance, it must first check whether a data protection authority (or court) has previously decided on the compliance issue or a substantially similar issue. If a decision exists, competition authorities must follow that decision or guidance. If a competition authority is investigating a new GDPR compliance issue, it is expected to collaborate proactively with relevant data protection authorities before making any decisions on GDPR matters. The CJEU imposes a duty on data protection authorities to offer “sincere cooperation” to competition authorities, including an obligation to respond to requests for information within a reasonable time and to inform about any intention to consult with other data protection or lead supervisory authorities. Although competition authorities are bound to follow the decisions and guidance of data protection authorities (where such guidance is provided), the CJEU emphasises that competition authorities remain free to reach their own decisions on specific issues arising from competition law.
Sensitive Data Obtained from an Individual’s Interaction with a Website or App is not Public Data
The CJEU ruling also considered a social network operator’s processing of special categories of personal data (such as health information or political affiliation). A social network operator may collect such sensitive data through an individual’s interaction with external websites or apps, using tracking technologies such as cookies. This data can then be linked back to a user’s social network account. The CJEU emphasised that processing special categories of personal data is prohibited under the GDPR, irrespective of whether the collection is unintentional or the data collected is inaccurate.
The CJEU examined whether a social network operator could rely on the “manifestly public” exemption under Article 9 GDPR as a justification for the processing of special categories of personal data as described above. The CJEU determined that the “manifestly public” exemption would only apply if an individual explicitly chose to make their data publicly accessible to an unlimited number of people which was unlikely in this case. Simply visiting or engaging with websites that might disclose special categories of personal data, like political party websites or health-related platforms, doesn’t make that data “manifestly public.” However, the CJEU acknowledged that it may be possible to rely on this exemption where there are clear settings available that allow a user to make an informed selection between their personal data being provided to a limited number of people or to the general public. Alternatively, social network operators are encouraged to obtain the explicit consent of individuals to be able to process special categories of personal data.
Legal Basis for Personalised Advertising on Social Networks
The CJEU considered the appropriateness of relying on performance of contract, legitimate interest and consent as legal bases in the context of personalised advertising on a social network. The ruling provided some insight on the most appropriate lawful basis, favouring user consent where data is obtained from an external source (outside the social network platform) and then linked back to a user’s social network account for the purposes of personalised advertising.
Consent
The CJEU reiterates that consent must be freely given to be valid under GDPR. The CJEU explored scenarios where consent cannot be freely given – such as, where there is a lack of genuine choice, a power imbalance, or consent for one purpose is bundled with another purpose. While the ruling acknowledges the potential for social network operators holding a dominant market position to influence a user’s freedom of choice, the CJEU did highlight that this does not prevent a user from freely giving their consent, but must be taken into account when making that determination.
The CJEU’s ruling states that social network operators need to provide users with two distinct consents for personalised advertising: one for the processing of their personal data gathered from within the social network, and another for the processing of their personal data gathered from sources outside the social network. The ruling stresses that if users are not offered these two distinct consents, it must be presumed that any consent given by users to process personal data collected from sources outside the social network is not given freely and is therefore invalid.
Performance of Contract
The CJEU determined that social network operators can justify tracking individuals’ activities for personalised advertising or use of integrated services (e.g., Meta’s Instagram and WhatsApp), without explicit consent, only if the processing is necessary for performance of a contract with the individual. The ruling clarifies that the performance of contract lawful basis can only be used by a social network provider where the processing is “objectively indispensable” such that the main subject matter of the contract cannot be performed unless the processing occurs. Whether or not the personalised processing or seamless use of other social network operator controlled services are necessary for the performance of the contract is subject to a final decision from the German Düsseldorf Higher Regional Court.
The CJEU recognised a power imbalance between a social media network operator (with a dominant market position) and its users in the context of Meta’s personalised advertising. With this in mind, the ruling clearly emphasises that users must retain the freedom to refuse to agree to specific processing provisions which are not necessary for the performance of the contract without being prevented from using the services. To accommodate this, the CJEU suggested that the social network operator could offer users an equivalent social network service without processing data for personalised advertising, possibly for an appropriate fee.
Legitimate Interests
The CJEU accepted that ”legitimate interests” could provide a legal basis for personalised advertising. However in this case, the court concluded that social network providers cannot rely on legitimate interests. The CJEU said users would not reasonably expect their personal data gathered from external sources outside of the social network to be used for personalised advertising without their explicit consent. For this reason, the social network operator’s interests in personalised advertising are overridden by the users’ interests and fundamental rights. The CJEU emphasised that such processing by social network operators could have a significant impact on a user’s private life, as it allowed operators to monitor a large part, if not almost all, of their online activities.
Implications of the CJEU Ruling
Intersection of Privacy and Competition
Although the decision in this case was specific to the GFCO and Meta, it will encourage competition authorities to pay greater attention to dominant companies’ compliance with GDPR as well as the impact of any non-compliance with competition. Notably, the CJEU described access to and the use of personal data to be a “significant parameter of competition” in the digital economy. So greater scrutiny of a company’s processing activities will likely feature more prominently in future competition law-related assessments, including in connection with the recent EU Digital Markets Act which contains consent obligations for cross-service processing of personal data by gatekeeper platforms (such as Google, Apple and Meta). The CJEU’s judgment provides clear guidance to competition authorities on their cooperation obligations; so enhanced cooperation between competition authorities and data protection authorities is expected.
Social Network Operators and Businesses Processing Personal Data
This decision has important take aways for social network operators and other similar businesses who collect user data from external sources and link these back to a user’s account or profile. The decision focuses on the use of the personal data gathered for personalised advertising but will likely impact any other uses of such personal data linked back to a user’s social network account or relevant profile.
Although this decision is pertinent to social network providers, particularly those in a dominant market position, it is also significant for all other businesses processing personal data, as it provides important insight on the CJEU’s views with respect to the processing of special categories of personal data and creates significant challenges for relying on performance of contract and legitimate interests as legal bases for personalised advertising. It remains to be seen how data protection authorities, national courts and competition authorities will interpret the decision, but many businesses currently relying on performance of contract or legitimate interests as legal bases for personalised advertising may now have to consider consent as the legal basis.