On 4 July 2023, the Grand Chamber of the Court of Justice ruled that a national competition authority has the right to find inconsistency with the GDPR as part of the examination of an abuse of a dominant position. On this occasion, the Court of Justice provided useful clarifications about sensitive data, possible processing grounds and conditions to obtain valid and freely given users’ consent (Case C-252/21).
• The factual background
Users of Facebook must adhere to its general terms of service when they sign up for the social network. Under Facebook’s general terms, Meta Platform Ireland (Facebook’s successor and operator) is not only entitled to collect data from other online services belonging to the Meta group (such as Instagram and WhatsApp) but also from third-party websites and apps, also known as “off-Facebook data”. The collected data is then linked to the various user accounts and used to create tailored advertising messages.
In the present case, the German Competition Authority (the “Bundeskartellamt”) found that Meta processing of personal data was not consistent with the General Data Protection Regulation (“GDPR”) and, consequently, constituted an abuse of dominant position on the market of online social networks. By decision of 6 February 2019, it prohibited Meta from (i) making the use of Facebook by private users subject to the processing of their “off-Facebook data” and from (ii) processing the data without their valid consent.
The abovementioned decision was challenged before the Higher Regional Court of Düsseldorf which asked the Court of Justice (“the Court”), on the one hand, whether national competition authorities (“NCAs”) may assess the compliance of data processing with the GDPR and, on the other, asked for clarification with regard to the interpretation and application of several provisions of the GDPR. Advocate General Rantos’ opinion on this preliminary referral was commented on a previous publication.
• NCAs possibility to assess compliance of undertaking’s conduct with the GDPR
First, the Court found that, in the context of the examination of an abuse of a dominant position by an undertaking, it may be necessary for a NCA to analyse whether that undertaking’s conduct complies with rules other than those relating to competition law such as the rules on the protection of personal data enshrined in the GDPR.
However, whenever an infringement is identified, the NCA can neither encroach on the competences conferred to the data protection supervisory authority (“supervisory authority”) nor replace it. Therefore, in accordance with the principle of sincere cooperation and in order to ensure consistent application of the GDPR, the NCA may not deviate from previous rulings rendered by competent supervisory authorities or by the Court.
In the absence of a previous investigation or where it has doubts about the scope of its assessment, the NCA must consult and seek cooperation with the competent supervisory authority. The latter is deemed to respond to such request in a reasonable period of time. Nevertheless, in the absence of such a reply or any objection from that supervisory authority, the NCA is allowed to continue its own investigation.
• Lawfulness of Meta’s processing of sensitive data
Second, the Court observed that data processing carried out by Meta concern special categories of data – revealing, amongst others, racial or ethnic origin, political opinions or persons’ sexual orientation – which is in principle forbidden by Article 9 GDPR.
Such prohibition can exceptionally be lifted where the processing relates to personal sensitive data which are manifestly made public by the data subject. In this regard, the Court noted that it cannot be inferred from the mere visit of websites or apps by a user that the concerned personal data are manifestly made public by the user. This also applies whenever users voluntarily enter information into a website or an app and click on integrated “Share” or “Like” buttons, unless the individual settings chosen by that user are to make the data accessible to an unlimited number of persons.
• Legal basis of data processing in the absence of consent
Third, concerning the lawfulness of data processing (of both sensitive and non-sensitive data) carried out by Meta without the data subject’s consent, the Court recalled that the need for the performance of a contract – to which the data subject is party – can only justify the processing of data if it is objectively essential for the contract to be properly achieved and that there are no less intrusive alternatives (Article 6.1.b GDPR).
In this regard, and subject to verification by the referring court, the Court doubted that personalised content appears to be necessary in order for Facebook to offer its services. According to the Court, those social network services could be provided in the form of an equivalent alternative excluding such personalisation.
Besides, while the Court did not rule out that a legitimate interest could validly be invoked by Meta as sufficient legal basis justifying the processing (e.g. for network security purposes) (Article 6.1.f GDPR), the Court also clarified that personalised advertisement to finance its activities does not constitute a legitimate interest prevailing over the rights of its users.
• Consent validity given to an undertaking upholding a dominant position
Finally, the Court found that the fact that an undertaking holds a dominant position on the social network market does not, as such, prevent the users of that social network from validly and freely consent to the processing of their personal data by that operator. Nevertheless, such position might create an imbalance between the data subjects and the data controller that is likely to have an impact on the users’ freedom of choice. This consideration must therefore be taken into account when determining whether the consent was validly and freely given. The data controller bears the burden of proof of such consent.
• Final remarks
The present case is a clear example that data protection stands at the crossroads of other areas of law including competition law. In its judgment, the Court rightly observes that, as illustrated by Meta’s business model, “access and use of personal data are of great importance in the context of the digital economy”. It is therefore a relevant factor in establishing undertakings market dominance. This economic development is likely to bring NCAs to increasingly assess data protection compliance in the context of antitrust proceedings.
It is however true that such traditional “ex post” proceedings do generally not intervene in a timely manner to properly protect new innovators against the barriers erected by large digital platforms. Only time will tell whether the “ex ante” intervention provided by the DMA – whose obligations will be applicable as of 6 March 2024 – will be able to address such shortcomings in the context of the digital market.
For further information about this case and/or for general legal advice relating to European competition law and data protection, please contact Pierre de Bandt, Raluca Gherghinaru, Karel Janssens or Marion Nuytten.