“A national competition authority may also find a breach of the GDPR in the context of the audit of whether a dominant position is being abused.”
So says the press release from Luxembourg on the recent Meta judgment. The underlying verdict of the Court of Justice of the European Union (CJEU) in Case C-252/21 v. Meta Platforms and Others (General Terms of Use of a Social Network) confirms that a national competition authority (NCA) may also find infringements of the General Data Protection Regulation (GDPR) when auditing an abuse of a dominant position. However, in such cases, the competition authority must also consider the decisions or investigations of the competent supervisory authority under the GDPR.
Background to the decision
The case concerns the online social network Facebook, which is operated in the European Union by Meta Platforms Ireland. Users agree to Facebook’s Terms of Service and Data Use and Cookie Policy when they sign up. These policies allow Meta Platforms Ireland to collect data about users’ activities inside and outside the network and link it to the Facebook accounts of the users concerned. The so-called off-Facebook data collected relates to activities on third-party websites and apps as well as the use of other online services of the Meta Group, namely Instagram and WhatsApp. This data makes it possible to send personalised advertising messages to Facebook users and to commercialise their data on a large scale.
The German Federal Cartel Office (Bundeskartellamt) had prohibited the General Terms of Use from making the use of Facebook by private users living in Germany dependent on the processing of their off-Facebook data without obtaining their explicit consent. The Federal Cartel Office argued that this processing activity constituted an abuse of Meta Platforms Ireland’s dominant position in the German market for online social networks and was not in line with the GDPR.
The Düsseldorf Higher Regional Court, before which an appeal against this decision is pending, then referred questions to the CJEU on the power of national competition authorities. These included the right to examine compliancy with the GDPR at all and the right to interpret certain provisions of the GDPR in connection with data processing by operators of online social networks.
Current judgements on the GDPR
Read our regular reviews of data protection law rulings to stay up to date!
The Judgment
In its judgment, the CJEU stated that in the context of an audit of abuse of a dominant position by a company, that it may also be necessary to examine whether the company’s conduct is compatible with other provisions, such as the GDPR. However, if the NCA finds a breach of the GDPR, it does not replace the supervisory authorities, which remain competent under the GDPR. The audit of GDPR compliancy serves solely to identify abuse of a dominant position and to take measures in accordance with competition law. The court emphasised that NCAs have a commitment to coordinate and cooperate loyally with supervisory authorities to ensure a consistent application of the GDPR.
The CJEU also pointed out that Meta Platforms Ireland’s data processing activities also appeared to involve special categories of personal data, the processing of which was in principle prohibited under Art. 9 of the GDPR. The national court had to examine whether certain data allowed the disclosure of such information, regardless of whether it concerned the Facebook user or other natural persons. The question of whether the processing activity of such sensitive data was exceptionally permissible because the data subject would have obviously made such data public was clearly answered in the negative. Simply accessing websites or apps that can reveal such information does not automatically mean that the data have been made manifestly public. Nor does this apply if a user enters data or presses buttons on such websites or in such apps. Something else is only conceivable if the user has explicitly consented to this data being publicly accessible.
The CJEU also examined whether Meta Platforms Ireland’s general data processing activities (including non-sensitive data) fall within the GDPR’s justifications, which may allow processing without the data subject’s explicit consent. However, if the processing is based on the necessity for the performance of the contract with Facebook users, the processing activity must be objectively necessary to fulfil the main subject matter of the contract.
Subject to review by the national court, the CJEU expressed doubts as to whether the personalisation of content or the seamless use of Meta’s services necessarily required this criterion. A legitimate interest of Meta in the financing of its services could also not justify the data processing in question in the specific case.
Finally, the CJEU held that the dominant position of the operator of an online social network did not in itself preclude users from effectively consenting to data processing by that operator. However, a dominant position of an online service could affect the users’ freedom of choice. Therefore, the dominant position is an important aspect in the audit of whether the consent was effective and voluntarily given. Meta bears the burden of proof for the existence of voluntary consent of its users.
Conclusion
As expected, the CJEU ruled in favour of the users to the full extent. In addition to the competition law issues, there is also room for data protection law arguments, without calling into question the competence of the data protection supervisory authorities.
The ruling is particularly interesting regarding the assessment of the required voluntariness of consent. This is because the dominant position of the operator platform also plays an important role for the chasing of a conscious decision by the users. The wider the reach of a social network, the higher the psychological compulsion for users to use the service, as in “the ends justify the means”.
A similar effect is achieved by all large social networks, which are in such an exposed position through their amount of users that they can dictate the conditions for their use. The social pressure alone to have to use precisely this channel for the greatest possible attention leads to an indissoluble asymmetry of power between platform operators and users.
Not least because of this predicament of users, the requirements for lawful consent must be all the higher. Whether one can ever assume voluntariness under this premise, however, remains open. Concrete design options and requirements for such a voluntary decision are still up in the air. Ultimately, this is probably only conceivable via an alternatively offered paid version.
