CJEU Decision C – 252/21 – Meta Platforms and Others v. Bundeskartellamt or the interaction between Data Protection Law and Competition Law

The CJEU decided in the case concerning Meta that competition authorities can rule on the compliance or non-compliance of the undertaking with the GDPR in the context of a decision on an abuse of dominant position. CJEU ruled on all six legal basis to process data, further clarifying the interpretation of Article 6 (1) GDPR.

Basically, a national competition authority can find, in the context of the examination of an abuse of a dominant position, that the GDPR has been infringed.

Meta Platforms Ireland operates the online social network Facebook within the European Union. When they register with Facebook, its users accept the general terms drawn up by that company and, consequently, the data and cookies policies. According to those policies, Meta Platforms Ireland collects data about user activities on and off the social network and links them with the Facebook accounts of the users concerned. The latter data, also known as “off-Facebook-data”, are data concerning visits to third-party webpages and apps as well as data concerning the use of other online services belonging to the Meta group (including Instagram and WhatsApp). The data thus collected serve, inter alia, to create personalised advertising messages for Facebook users.

The German Federal Cartel Office prohibited, in particular, the use of social network Facebook by private users resident in Germany from being subject, in the general terms, to the processing of their off-Facebook data and those data from being processed without their consent.

In its judgment, the Court of Justice states as it is shown also in the press release that, in the context of the examination of an abuse of a dominant position by an undertaking, it may be necessary for the competition authority of the Member State concerned also to examine whether that undertaking’s conduct complies with rules other than those relating to competition law, such as the rules laid down by the GDPR. However, where the national competition authority identifies an infringement of the GDPR, it does not replace the supervisory authorities established by that regulation. The sole purpose of the assessment of compliance with the GDPR is merely to establish an abuse of a dominant position and impose measures to put an end to that abuse on a legal basis derived from competition law. In order to ensure the consistent application of the GDPR, the national competition authorities are required to consult and cooperate sincerely with the authorities monitoring the application of that regulation. In particular, where the national competition authority takes the view that it is necessary to examine whether an undertaking’s conduct is consistent with the GDPR, it must ascertain whether that conduct or similar conduct has already been the subject of a decision by the competent supervisory authority or the Court. If that is the case, it cannot depart from it, although it remains free to draw its own conclusions from the point of view of the application of competition law. Furthermore, the Court observes that the data processing operation carried out by Meta Platforms Ireland appears also to concern special categories of data that may reveal, inter alia, racial or ethnic origin, political opinions, religious beliefs or sexual orientation, and the processing of which is in principle prohibited by the GDPR. It will be for the national court to determine whether some of the data collected may actually allow such information to be revealed, irrespective of whether that information concerns a user of that social network or any other natural person. As to whether the processing of such ‘sensitive’ data is exceptionally permitted due to the fact that they were manifestly made public by the data subject, the Court clarifies that the mere fact that a user visits websites or apps that may reveal such information does not in any way mean that the user manifestly makes public his or her data, within the meaning of the GDPR. In addition, the same applies where a user enters information into such websites or apps or where he or she clicks or taps on buttons integrated into them, unless he or she has explicitly made the choice beforehand to make the data relating to him or her publicly accessible to an unlimited number of persons.

Lastly, the Court notes that the fact that the operator of an online social network, as controller, holds a dominant position on the social network market does not, as such, prevent its users from validly giving their consent, within the meaning of the GDPR, to the processing of their personal data by that operator. However, since that position is liable to affect the freedom of choice of those users and create a clear imbalance between them and the data controller, it constitutes an important factor in determining whether the consent was in fact validly and, in particular, freely given. This is for the operator to prove.

The full text of the Decision C-252/21 can be read here.