1. Background

In February 2019, the German Federal Cartel Office issued a decision prohibiting the tech giant Meta from using “off-Facebook data”[1] to create personalized advertising for German users. The authority considered such activity to be inconsistent with the General Data Protection Regulation (“GDPR”), thus constituting an abuse of Meta’s dominant position on the German market. On appeal, the Higher Regional Court of Dusseldorf inquired the Court of Justice of the European Union (“CJEU”) on two issues:

(i) Whether national competition authorities have the competence to assess compliance with the GDPR, and

(ii) How should national courts interpret and apply certain GDPR provisions related to data processing by online platforms.

This Tuesday, the CJEU issued its landmark decision, which sent shockwaves through both the antitrust and the data protection fields.

2. CJEU’s decision

a. Competence by national antitrust authorities to assess compliance to the GDPR

The Court ruled that national competition authorities can examine whether a company’s conduct complies with rules other than those relating to competition law (such as the GDPR), as long as said examination is relevant to the determination of whether a competition rule has been violated. In doing so, however, the competition authority must inform and cooperate with the supervisory authority responsible for the field in question (e.g., the German data protection authority) and, most importantly, it cannot depart from precedent set forth by said authority. For instance, in the present case, if the German data protection authority had previously ruled that the processing of data equivalent to “off-Facebook data” does comply with the GDPR, the German Federal Cartel Office could not have indirectly “overruled” said decision.

b. Substantive questions concerning the GDPR

As for the interpretation of GDPR provisions concerning online social networks, the main rulings rendered by the Court were the following:

  • Is a controller allowed to process data such as “off-Facebook data” on the basis that it is “necessary for the performance of the contract with the data subject”[2] since, e.g., it allows Meta to provide its users with a more personalized content? The Court answered no, explaining that, in such cases, the relevant data must be indispensable to, and not merely useful for, the performance of the contract.
  • Is the data controller allowed to process data such as “off-Facebook data” on the basis of the controller’s legitimate interests[3] since, e.g., it allows Meta to provide users with personalized advertising? The Court answered no, highlighting that the users’ fundamental rights override the interests that the online platform has in personalizing the advertising by which it finances its activities. As a consequence, a valid consent from users would be needed.
  • When a company such as Meta holds a dominant position on the social network market, does this amount to the conclusion that its users’ consent was not “freely given” [4], due to the existing imbalance between platform and user? The Court answered no, stressing, however, that such dominant position is a factor to be considered in assessing the validity of the given consent, the burden of proof lying with the platform.
  • When third-party websites or apps collect “sensitive” data[5] from users who visit and/or enter their information into said websites or apps (e.g., by placing an online order), may that data be considered as “manifestly made public” by the data subject[6]? The Court answered no, emphasizing that such an authorization would occur only when the data subject has explicitly made the choice to make their data publicly accessible to an unlimited number of persons.

3. Final remarks

The CJEU’s decision not only draws important lines in the sand as to how online platforms can process data in Europe, but also confirms the trend of the ever-increasing interplay between two apparently separate sets of legislation: competition and data protection law. In an era where data is considered to be “the new oil”, it becomes increasingly vital that online operators face legal issues with an interdisciplinary and integrated approach, thus guaranteeing full compliance to the applicable laws and increasing legal certainty.

[1] Off-Facebook data are information collected from visits to third-party webpages and apps, as well as data concerning the use of other services belonging to the Meta group, such as Instagram and WhatsApp.

[2] Article 6(1)(b) of the GDPR.

[3] Article 6(1)(f) of the GDPR

[4] Under article 4(11) of the GDPR.

[5] “Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, (…) genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”, as defined by article 9(1) of the GDPR.

[6] Thus falling into the exception of article 9(2)(e) of the GDPR.