In a judgment handed down on Tuesday 4 July (Case C-252/21), the EU Court of Justice (CJEU) ruled that, when examining the abuse of a dominant position, the national competition authority of a Member State of the European Union may find a breach of the ‘GDPR’ regulation governing the protection of personal data.
Meta Platforms Ireland, which manages the Facebook, Instagram and WhatsApp social networks in the European Union, collects data and cookies relating to users inside and outside the social network, for example when they visit web pages and third-party applications belonging or not belonging to the Meta group (‘off-Facebook data’). The data collected is used in particular to personalise advertising messages sent to Facebook users.
In particular, the German Federal Competition Authority has prohibited making the use of the Facebook social network by private users resident in Germany subject to the processing of their data off Facebook and processing such data without their consent. It considers that this processing does not comply with the general ‘GDPR’ regulation (2016/679) and constitutes an abusive exploitation of Meta’s dominant position on the German market for online social networks.
Referred to by the Higher Regional Court of Düsseldorf, the Court of Justice observes that, when examining an abuse of a dominant position, a national competition authority may examine the conduct of the undertaking in question in the light of rules outside the scope of competition law, such as the ‘GDPR’ regulation. This authority must be limited to the sole purpose of determining the abuse of a dominant position and, if it identifies a breach of the ‘GDPR’ regulation, does not replace the authorities responsible for ensuring compliance with this regulation.
In order to ensure consistent application of the ‘GDPR’ regulation, the national competition authorities must consult and cooperate loyally with the authorities enforcing this regulation. In particular, a competition authority must check whether the conduct in question or similar conduct has already been the subject of a decision by the supervisory authority responsible for the ‘GDPR’ regulation or by the Court itself. If this is the case, it cannot deviate from it, while remaining free to draw its own conclusions from the point of view of the application of competition law.
‘Sensitive’ data. In addition, the Court noted that the data processing carried out by Meta appears to involve so-called ‘sensitive’ data (racial or ethnic origin, political opinions, religious beliefs, sexual orientation of a user), the processing of which is, in principle, prohibited by the ‘GDPR’ regulation. It is up to the national court to determine whether some of the data can actually be used to reveal such information, whether it concerns a Facebook user or any other natural person.
Is the processing of this ‘sensitive’ data exceptionally permitted because it has clearly been made public by the data subject? In response to this question, the Court states that the mere fact that a user consults websites or applications likely to reveal such information does not in any way mean that they are manifestly making their data public within the meaning of EU law.
The same applies, it adds, when a user inserts data into sites or applications or when they activate selection buttons integrated into them, unless they have previously explicitly expressed their choice to make their data accessible to an unlimited number of people.
The Court then examined whether Meta’s processing of all types of data was justified by the need to perform the contract to which an individual had subscribed in order to use Facebook. According to the Court, the need to perform the contract justifies the practice at issue only if the data processing is objectively indispensable in such a way that the main purpose of the contract could not be achieved in the absence of such processing.
Subject to verification by the national court, the Court doubts whether the personalisation of content or the uniform and fluid use of the Meta Group’s services can satisfy those criteria. Furthermore, according to the European Court, the personalisation of advertising through which Facebook is financed does not justify the data processing in question, in the absence of the explicit consent of the data subject.
Finally, the Court observes that the fact that an operator holds a dominant position on the online social networking market does not prevent its users from validly consenting to the processing of their data by that operator. However, it points out that, as this dominant position is likely to affect users’ freedom of choice, it is an important factor in determining whether consent has in fact been given validly and freely, something that Facebook has the burden of proving.
Reacting to this interpretation of EU law, the European Commissioner for Justice, Didier Reynders, welcomed the fact that “there are many actors in charge of the enforcement of the GDPR”. “In the future, we will put into place a new way of implementing the legal framework governing the digital environment,” he said, citing the DSA/DMA package and the ‘Data Act’, all of which stem from the ‘GDPR’ regulation.
See the Court’s judgment: https://aeur.eu/f/7wi (Original version in French by Mathieu Bion)