By
11 min read
Published On: July 25, 2023

The EUCJ’s decision on the relation between competition law and personal data protection

On July 4, 2023, the Court of Justice of the European Union (CJEU) with its judgment in case _C-252/21____ shed light on the doubts raised by the Higher Regional Court of Düsseldorf with its request for a preliminary ruling dated March 24, 2021. The national judge asked the CJEU to clarify whether the federal competition authority can find a violation of the EU Regulation 2016/679 (GDPR) when such an assessment, emerging in the context of a competition case, results necessary to determine the anti-competitive conduct. Additionally, the German Court asked the CJEU to define the limits of use of the legal bases provided for under art. 6(1)(a) and 9(2)(a) GDPR (i.e., consent), when the company (in this case Facebook) uses them to justify the processing of personal data related to activities carried out by its customers outside their Facebook account (“off Facebook data”). Lastly, the CJEU was asked to determine whether the data subjects can express a freely given consent to an enterprise (such as Facebook) that holds a dominant position in the market.

Facts

The Higher Regional Court of Düsseldorf’s request for a preliminary ruling stemmed from a dispute between the German competition authority (Bundeskartellamt) and Meta Platforms, Meta Platforms Ireland and Facebook Deutschland (hereinafter “Meta”). Specifically, the German authority prohibited Meta from making German citizens’ use of the social network Facebook conditional on the processing of their “off Facebook data” and from processing such data without their consent.

As known, Meta collects users’ data both inside and outside of Facebook, drawing from information generated by the data subjects when using other applications owned by the company itself (e.g., Instagram or Whatsapp) or by third parties but “linked” to Meta thanks to the “business tools” the company implements. In this way Meta can cross-reference this “external” data with “internal” data related to Facebook usage, thus being able to tailor advertising messages to target users and support its business model.

The Bundeskartellamt justified its decision on the grounds that the aforementioned practice allegedly conflicts with the GDPR, and as such also constitutes an abuse of Meta’s dominant position in the German social networking market.

 

Competition authority and GDPR 

The CJEU first held that although neither the GDPR nor any other instrument of EU law expressly provides that a competition authority can assess, in the context of an abuse of dominant position’s investigation, whether the processing of personal data carried out by the scrutinized company complies with the GDPR, it nevertheless ruled that Article 4(3) TEU legitimizes such an assessment in the name of the principle of loyal cooperation between national authorities. However, the competition authority cannot take the place of the competent data protection authority. In fact, it shall rather verify whether the conduct it considers to be in contrast with the GDPR has already been the subject of a data privacy authority or court’s decision, in which case it cannot depart from it. In any case, the competition authority’s decision with respect to the processing of personal data must be limited to what is necessary for the decision of the competition case.

 

Processing of “sensitive data”

In addition, the CJEU addresses Meta’s processing of personal data under Article 9 GDPR (“sensitive data”). In particular, the Court states that if this data is collected outside of Facebook and put in relation with Facebook usage data, such processing must be considered for all purposes to be a processing of sensitive data, prohibited by the GDPR unless the exceptions set forth in article 9(2) of the Regulation apply. In other words, the CJEU considers the case where Facebook users share their sensitive data when signing up to third parties’ website and Meta, using its business tools, collects this data in order to put them in relation with data generated by its clients inside of Facebook.

The Court goes on to establish that, the mere fact that users entered their own sensitive data on websites or applications (different from Facebook) does not automatically bring it within the exception of Article 9(2)(e) GDPR. In other terms, users may not  be held to have made their data manifestly public, unless this is the result of their explicit choice, made with full knowledge of the facts and, where appropriate, through individualized settings that allow them to limit the sharing of that information with a limited number of people.

Processing of non-sensitive data: performance of a contract and legitimate interest

Regarding the processing of non-sensitive data (under Article 6 GDPR), the CJEU examines the limits of use of the different legal bases referred to in the provision. For the purposes of this contribution, we will limit ourselves to a brief examination of the Court’s reasoning regarding the justifications as per art. 6(1)(b) and (f) (i.e., performance of a contract and legitimate interest of the data controller).

The Court reiterates the well-established guideline that processing can be supported by the justification of contractual performance only if it is indispensable to the fulfillment of the object of the contract, or, on the contrary, if in the absence of the processing it would not be possible in any way to execute the agreement between the data subject and the owner.

The collection of off.Facebook data for the purpose of personalizing the content to be shown to users within their Facebook profile may not, in principle, be justified using the legal basis in question. In fact, the CJEU doubts that the customization of content is necessary to offer the users the possibility of using the social network or otherwise being able to benefit from their Facebook profile, which on closer inspection is the main object of the contract.

On the other hand, with regard to the justification of the legitimate interest, the Court specifies that this may not be invoked as a basis legitimizing the processing of personal data merely because − without prejudice to the competence of the national court to assess the individual case − the customization of content and advertisements to be shown to Facebook users constitutes the company’s business model.

Although recital 47 of the GDPR specifies that a processing of personal data for direct marketing purposes may be considered to be carried out in pursuit of the legitimate interest of the data controller, it is still necessary that, on the one hand, the fundamental rights of the data subjects do not override the interest of the data controller in the specific case, and on the other hand, the data subjects, given the relationship with the data controller, could reasonably expect that the data controller would process their personal data (in the absence of specific consent) for the purpose of customization.

Well, the CJEU states that Facebook users do not carry an expectation that the controller would process his data for the purpose of customizing the content to be directed to him, concluding that Meta’s legitimate interest, so understood, surrenders to the fundamental rights of the data subject.

In other words, cross-referencing off-Facebook data with “internal” data can be considered legitimate processing under Article 6(1)(f) GDPR, provided that the data controller has obtained the data subject’s consent.

 

Freely given consent to the dominant data controller

Lastly, with regard to whether the consent given by the data subject to the data controller occupying a dominant position in the market (in this case of social networks) can be considered to be freely given, the CJEU considers that Facebook users can validly consent to the use of their personal data. It specifies, however, that the dominant position may be a relevant factor to be considered when investigating the validity of the consent expressed by the user, since in such cases the position held by the controller may cause an imbalance of power and may make consent constrained and, therefore, not free.

 

Concluding remarks

The decision commented here is undoubtedly of high interest for at least two orders of reason. First, the Court of Justice of the European Union expands, by going beyond the literal interpretation of the GDPR, the range of entities empowered to assess the legitimacy of a processing of personal data. The fact that a competition authority can (in some way) play the role of the data protection authority (article 51 of the Regulation) confirms once again the expansive vocation and so the importance attributed to the GDPR. Secondly, the decision clarifies the scope of certain legal bases of the processing of personal data (namely, performance of a contract and legitimate interest) conducted by the controller that, like Meta, holds a dominant position in the market. In particular, the CJEU highlights the limits of use of the justifications, when these are placed at the basis of personal data processing carried out by cross referencing the user’s data off Facebook and the data that we have defined instead as “internal” (i.e., relating to the use of the Facebook account) for the purpose of customizing contents. In other words, the business model of the company may not legitimize going beyond the logic of the GDPR. The latter wants the data subjects to be made aware and free to calibrate their willingness to have their personal data, including sensitive data, used by a data controller. In the last instance, the Court once again emphasizes the fundamental relevance of consent, the preferred legal basis among those contemplated in the GDPR.

One quite big open question that remains to be answered, is whether – given this decision – Meta or companies like Meta, would be permitted under the GDPR to make monetarily unpaid access to their services subject to the users’ consenting to the processing of their personal data for the purposes of, inter alia, advertising personalization. The question arising here is whether making the trading in of consent versus services explicit, would not run counter to the principle that consent must be free, explicit and unconditional.

Recent Articles

Publication of the second report on the application of the GDPR: some key issues
Publication of the second report on the application of the GDPR: some key issues
Gallery

Publication of the second report on the application of the GDPR: some key issues

July 31, 2024
Pay or Ok: EDPB’s decision
Pay or Ok: EDPB’s decision
Gallery

Pay or Ok: EDPB’s decision

April 18, 2024
Artificial Intelligence and Intellectual Property. A dual perspective in the EUIPO Study
Artificial Intelligence and Intellectual Property. A dual perspective in the EUIPO Study
Gallery

Artificial Intelligence and Intellectual Property. A dual perspective in the EUIPO Study

January 17, 2023
Privacy Guarantor sanctions Lazio Region for unlawful control of employees’ e-mail metadata
Privacy Guarantor sanctions Lazio Region for unlawful control of employees’ e-mail metadata
Gallery

Privacy Guarantor sanctions Lazio Region for unlawful control of employees’ e-mail metadata

January 12, 2023
Publication of the second report on the application of the GDPR: some key issues
Publication of the second report on the application of the GDPR: some key issues
Gallery

Publication of the second report on the application of the GDPR: some key issues

July 31, 2024
Pay or Ok: EDPB’s decision
Pay or Ok: EDPB’s decision
Gallery

Pay or Ok: EDPB’s decision

April 18, 2024
Artificial Intelligence and Intellectual Property. A dual perspective in the EUIPO Study
Artificial Intelligence and Intellectual Property. A dual perspective in the EUIPO Study
Gallery

Artificial Intelligence and Intellectual Property. A dual perspective in the EUIPO Study

January 17, 2023
Privacy Guarantor sanctions Lazio Region for unlawful control of employees’ e-mail metadata
Privacy Guarantor sanctions Lazio Region for unlawful control of employees’ e-mail metadata
Gallery

Privacy Guarantor sanctions Lazio Region for unlawful control of employees’ e-mail metadata

January 12, 2023