A national competition authority can find, in the context of the examination of an abuse of a dominant position, that the GDPR has been infringed (ECJ)
According to Judgment of the European Court of Justice in Case C-252/21 (Meta Platforms and Others), a national competition authority can find, in the context of the examination of an abuse of a dominant position, that the GDPR has been infringed.
Meta Platforms Ireland operates the online social network Facebook within the European Union. When they register with Facebook, its users accept the general terms drawn up by that company and, consequently, the data and cookies policies. According to those policies, Meta Platforms Ireland collects data about user activities on and off the social network and links them with the Facebook accounts of the users concerned. The latter data, also known as ‘off-Facebook data’, are data concerning visits to third-party webpages and apps as well as data concerning the use of other online services belonging to the Meta group (including Instagram and WhatsApp). The data thus collected serve, inter alia, to create personalised advertising messages for Facebook users.
The German Federal Cartel Office prohibited, in particular, the use of the social network Facebook by private users resident in Germany from being subject, in the general terms, to the processing of their off-Facebook data and those data from being processed without their consent. It based its decision on the fact that since that processing was not consistent with the General Data Protection Regulation (GDPR), it constituted an abuse of that Meta Platforms Ireland’s dominant position on the German market for online social networks.
Hearing an action brought against that decision, the Higher Regional Court, Düsseldorf, asks the Court of Justice whether the national competition authorities may review whether a data processing operation complies with the requirements set out in the GDPR. In addition, the German court refers questions to the Court of Justice about the interpretation and the application of certain provisions of the GDPR to the processing of data by the operator of an online social network.
In its judgment, the Court of Justice states that, in the context of the examination of an abuse of a dominant position by an undertaking, it may be necessary for the competition authority of the Member State concerned also to examine whether that undertaking’s conduct complies with rules other than those relating to competition law, such as the rules laid down by the GDPR.
However, where the national competition authority identifies an infringement of the GDPR, it does not replace the supervisory authorities established by that regulation. The sole purpose of the assessment of compliance with the GDPR is merely to establish an abuse of a dominant position and impose measures to put an end to that abuse on a legal basis derived from competition law. In order to ensure the consistent application of the GDPR, the national competition authorities are required to consult and cooperate sincerely with the authorities monitoring the application of that regulation.
In particular, where the national competition authority takes the view that it is necessary to examine whether an undertaking’s conduct is consistent with the GDPR, it must ascertain whether that conduct or similar conduct has already been the subject of a decision by the competent supervisory authority or the Court. If that is the case, it cannot depart from it, although it remains free to draw its own conclusions from the point of view of the application of competition law.
Furthermore, the Court observes that the data processing operation carried out by Meta Platforms Ireland appears also to concern special categories of data that may reveal, inter alia, racial or ethnic origin, political opinions, religious beliefs or sexual orientation, and the processing of which is in principle prohibited by the GDPR. It will be for the national court to determine whether some of the data collected may actually allow such information to be revealed, irrespective of whether that information concerns a user of that social network or any other natural person. As to whether the processing of such ‘sensitive’ data is exceptionally permitted due to the fact that they were manifestly made public by the data subject, the Court clarifies that the mere fact that a user visits websites or apps that may reveal such information does not in any way mean that the user manifestly makes public his or her data, within the meaning of the GDPR.
In addition, the same applies where a user enters information into such websites or apps or where he or she clicks or taps on buttons integrated into them, unless he or she has explicitly made the choice beforehand to make the data relating to him or her publicly accessible to an unlimited number of persons. As regards more generally the processing operation carried out by Meta Platforms Ireland, including the processing of ‘non-sensitive’ data, the Court examines next whether this is covered by the justifications, set out in the GDPR, allowing the processing of data carried out in the absence of the data subject’s consent to be made lawful.
In that context, it finds that the need for the performance of the contract to which the data subject is party may justify the practice at issue only on condition that the data processing is objectively indispensable such that the main subject matter of the contract cannot be achieved if the processing in question does not occur. Subject to verification by the national court, the Court of Justice expresses doubts as to whether personalised content or the consistent and seamless use of the Meta group’s own services are capable of fulfilling those criteria.
Moreover, according to the Court, the personalised advertising by which the online social network Facebook finances its activity, cannot justify, as a legitimate interest pursued by Meta Platforms Ireland, the processing of the data at issue, in the absence of the data subject’s consent.
Lastly, the Court notes that the fact that the operator of an online social network, as controller, holds a dominant position on the social network market does not, as such, prevent its users from validly giving their consent, within the meaning of the GDPR, to the processing of their personal data by that operator. However, since that position is liable to affect the freedom of choice of those users and create a clear imbalance between them and the data controller, it constitutes an important factor in determining whether the consent was in fact validly and, in particular, freely given. This is for the operator to prove. (source: curia.europa.eu/ photo: freepik.com)
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1).