“A national competition authority may also find a breach of the GDPR in the context of the audit of whether a dominant position is being abused.”
Background to the decision
The Düsseldorf Higher Regional Court, before which an appeal against this decision is pending, then referred questions to the CJEU on the power of national competition authorities. These included the right to examine compliancy with the GDPR at all and the right to interpret certain provisions of the GDPR in connection with data processing by operators of online social networks.
Current judgements on the GDPR
Read our regular reviews of data protection law rulings to stay up to date!
In its judgment, the CJEU stated that in the context of an audit of abuse of a dominant position by a company, that it may also be necessary to examine whether the company’s conduct is compatible with other provisions, such as the GDPR. However, if the NCA finds a breach of the GDPR, it does not replace the supervisory authorities, which remain competent under the GDPR. The audit of GDPR compliancy serves solely to identify abuse of a dominant position and to take measures in accordance with competition law. The court emphasised that NCAs have a commitment to coordinate and cooperate loyally with supervisory authorities to ensure a consistent application of the GDPR.
The CJEU also pointed out that Meta Platforms Ireland’s data processing activities also appeared to involve special categories of personal data, the processing of which was in principle prohibited under Art. 9 of the GDPR. The national court had to examine whether certain data allowed the disclosure of such information, regardless of whether it concerned the Facebook user or other natural persons. The question of whether the processing activity of such sensitive data was exceptionally permissible because the data subject would have obviously made such data public was clearly answered in the negative. Simply accessing websites or apps that can reveal such information does not automatically mean that the data have been made manifestly public. Nor does this apply if a user enters data or presses buttons on such websites or in such apps. Something else is only conceivable if the user has explicitly consented to this data being publicly accessible.
The CJEU also examined whether Meta Platforms Ireland’s general data processing activities (including non-sensitive data) fall within the GDPR’s justifications, which may allow processing without the data subject’s explicit consent. However, if the processing is based on the necessity for the performance of the contract with Facebook users, the processing activity must be objectively necessary to fulfil the main subject matter of the contract.
Subject to review by the national court, the CJEU expressed doubts as to whether the personalisation of content or the seamless use of Meta’s services necessarily required this criterion. A legitimate interest of Meta in the financing of its services could also not justify the data processing in question in the specific case.
Finally, the CJEU held that the dominant position of the operator of an online social network did not in itself preclude users from effectively consenting to data processing by that operator. However, a dominant position of an online service could affect the users’ freedom of choice. Therefore, the dominant position is an important aspect in the audit of whether the consent was effective and voluntarily given. Meta bears the burden of proof for the existence of voluntary consent of its users.
As expected, the CJEU ruled in favour of the users to the full extent. In addition to the competition law issues, there is also room for data protection law arguments, without calling into question the competence of the data protection supervisory authorities.
The ruling is particularly interesting regarding the assessment of the required voluntariness of consent. This is because the dominant position of the operator platform also plays an important role for the chasing of a conscious decision by the users. The wider the reach of a social network, the higher the psychological compulsion for users to use the service, as in “the ends justify the means”.
A similar effect is achieved by all large social networks, which are in such an exposed position through their amount of users that they can dictate the conditions for their use. The social pressure alone to have to use precisely this channel for the greatest possible attention leads to an indissoluble asymmetry of power between platform operators and users.
Not least because of this predicament of users, the requirements for lawful consent must be all the higher. Whether one can ever assume voluntariness under this premise, however, remains open. Concrete design options and requirements for such a voluntary decision are still up in the air. Ultimately, this is probably only conceivable via an alternatively offered paid version.