CJEU makes landmark decision in Meta vs Bundeskartellamt

Judgment allows GDPR scrutiny through antitrust regulators and imposes limitations on personalized use of consumers’ personal data.

On July 4, 2023, the European Court of Justice (CJEU) delivered its judgment in Meta vs Bundeskartellamt Case C-252/21. The decision imposes important requirements in relation to the interpretation of the GDPR and the interplay between competition authorities and data protection supervisory authorities, in particular, with regards to the personalized use of consumers’ personal data for targeted advertising by social media platforms.

The decision will, in particular, have far-reaching implications for those organizations that are in a dominant marketing position and accumulating large amounts of personal data from various sources.

The CJEU ruled that competition authorities of a Member State have the authority to investigate and sanction an infringement of the GDPR, if companies exploit their dominant market position. In case of data protection violations, the competition authorities must consult with the competent data protection supervisory authority.

The CJEU imposes limitations and strict requirements for obtaining lawful consent for a company dominant on the market.

In addition, the case deals, in particular, with requirements for the combined personalized processing of Facebook users’ personal data collected by Meta within Facebook, and of so-called off-Facebook data, collected by websites and applications outside of the social media platform. In this regard, the CJEU imposes strict limitations on the interpretation of the ‘necessity for the performance of a contract’ legal basis which, according to the decision, “must be objectively indispensable for a purpose that is integral to the contractual obligation intended for the data subject”.

The CJEU also significantly limits Facebook’s legitimate interests to process the users’ personalised social network data and imposes limitations and strict requirements for obtaining lawful consent for a company dominant on the market.

In addition, the CJEU clarifies that it cannot be inferred from the mere visit to websites or apps by a user that the sensitive personal data generated in this process were manifestly made public by that user within the meaning of Article 9(1)(e) GDPR.

CJEU’s decision in detail

This landmark decision of the CJEU goes back to the decision of the Bundeskartellamt, the German Federal Cartel Office (FCO), in the Meta case (Facebook) from 2019. In the case the FCO imposed far-reaching restrictions on the processing of user data. In its decision, the FCO accused Meta of abusing its dominant market position through its general terms, as the FCO was of the opinion that the processing of off-Facebook data was not compliant with the underlying requirements of the GDPR and, in particular, could not be justified in the light of Article 6(1) and Article 9(2) of the GDPR.

Meta filed an appeal with the Düsseldorf Higher Regional Court (OLG Düsseldorf) against this decision, inter alia, questioning the authority of the national competition authority to enforce data protection rules under antitrust laws. The appeal led the court to request a preliminary ruling under Article 267 of the Treaty on the Functioning of the European Union (TFEU) from the CJEU. The court addressed various questions to the CJEU concerning the competition authority’s competence to enforce rules of the GDPR as well as the interpretation of various Articles of the GDPR.

Competence of competition authorities to observe GDPR infringements

The decision of the CJEU has important antitrust as well as data protection dimensions – namely regarding the competence to enforce data protection law violations. This arises from the fact that Meta has a dominant position on the market for online social networks for private users in Germany (constituted by the FCO, para 30). The FCO argued that a violation of the GDPR could constitute an abuse of a dominant market position in the meaning of Article 102 TFEU.

The question the CJEU had to answer was whether a national competition authority could investigate and sanction an infringement of the GDPR as a violation under the regime of Article 102 TFEU.

The CJEU confirmed the FCO’s view, holding that in the context of the examination of an abuse of a dominant position by an undertaking on a particular market “it may be necessary for the competition authority of the member state concerned also to examine whether that undertaking’s conduct complies with rules other than those relating to competition law” (para 48).

However, CJEU is clear that where a national competition authority identifies an infringement of the GDPR in the context of the finding of an abuse of a dominant position, this does not replace the role of the data protection supervisory authorities. In particular, the CJEU held that the national competition authority “neither monitors nor enforces” the application of the GDPR (para 49).

The CJEU imposes a duty on the competent national data protection supervisory authority of “sincere cooperation” with the national competition authority.

The reason for assessing an infringement of the GDPR as a violation of antitrust is that the “access to personal data and the fact that it is possible to process such data have become a significant parameter of competition between undertakings in the digital economy”, confirming the legal standpoint of, inter alia, the EU Commission. Therefore, the CJEU held that an exclusion of “the rules on the protection of personal data from the legal framework to be taken into consideration by the competition authorities when examining an abuse of a dominant position would disregard the reality of this economic development and would be liable to undermine the effectiveness of competition law within the European Union” (para 51).

However, the CJEU acknowledges the risk of divergences between the national competition and data protection supervisory authorities. To minimize this risk, the court imposes a duty on the competition authorities to examine possible overlapping examinations or decisions by data protection supervisory authorities or courts for the same or similar conduct. “If that is the case, the national competition authority cannot depart from it, although it remains free to draw its own conclusions from the point of view of the application of competition law” (paras 55 et seq.).

Additionally, the CJEU imposes a duty on the competent national data protection supervisory authority of “sincere cooperation” with the national competition authority (paras 57 et seq.). This includes an obligation to respond to a request for information or cooperation “within a reasonable period of time” and to particularly inform about any intention to consult other concerned data protection authorities or the lead supervisory authority under the consistency mechanisms of the GDPR (para 58). If no answer is provided or if the data protection authority does not have any objections, the competition authority may proceed with its own “investigation” of the relevant data protection law (para 59).

Requirements for the processing of personal data users of a social network

The CJEU imposed strict requirements for the combined personalised processing of personal data of Facebook users collected by Meta within Facebook and as off-Facebook data (Social Network Data), including with regard to sensitive personal data.

Strict requirements for the processing of sensitive personal data 

The CJEU agrees with the Advocate General in the assessment that the general prohibition to process special categories of personal data in Article 9(1) GDPR is “independent of whether or not the information revealed by the processing operation in question is correct and of whether the controller is acting with the aim of obtaining information that falls within one of the special categories referred to in that provision”. Rather, the prohibition shall be irrespective of the stated purpose of the processing (paras 69 et seq.). This consequently ends the debate whether these criteria limit the applicability of Article 9(1) GDPR.

According to the CJEU, Meta processes sensitive personal data in the meaning of Article 9(1) GDPR data if users of a social network visit websites or apps and use integrated buttons, such as the ‘Like’ or ‘Share’ buttons, that may reveal information falling within one or more of the special categories of personal data referred to in Article 9(1) GDPR. By this, users enter information into such websites or apps and Meta subsequently links such data with the user’s social network account and uses this data (paras 71 et seq.).

“It cannot be inferred from the mere visit to such websites or apps by a user that the personal data in question were manifestly made public by that user.”

CJEU

However, according to the CJEU, “it cannot be inferred from the mere visit to such websites or apps by a user that the personal data in question were manifestly made public by that user within the meaning of Article 9(1)(e) GDPR” (para 79). The extent to which an interaction with such website or app is considered public may vary pursuant to the individual settings chosen by a user. According to the CJEU, the exemption of Article 9(2)(e) GDPR will only apply if users have the choice, on the basis of settings selected and with full knowledge of the facts, whether to make the information  accessible to the general public or, rather, to a more or less limited number of selected persons (paras 80 et seq.).

If no such individual settings are available, according to the CJEU, users must have explicitly consented, on the basis of express information provided by that website or app prior to any such entering or clicking, to the data being viewed by any person having access to that website or app (para 83).

Strict requirements for lawful processing of personalized social network data

By interpreting the legal bases of Article 6(1) GDPR, the CJEU sets out the requirements for lawful processing of Social Network Data by the operator of an online social network.

a. Performance of a contract: Limitations due to strict interpretation of the “necessity” requirement.

The CJEU tightens the requirements for basing such processing of Social Network Data on the legal basis of Article 6(1)(b) GDPR, by stating that for the processing of personal data to be regarded as “necessary” for the performance of a contract, “it must be objectively indispensable for a purpose that is integral to the contractual obligation intended for the data subject. The controller must therefore be able to demonstrate how the main subject matter of the contract cannot be achieved if the processing in question does not occur” (para 98).

According to the CJEU, “the fact that such processing may be referred to in the contract or may be merely useful for the performance of the contract is, in itself, irrelevant in that regard”. Rather, according to the CJEU, the decisive factor is “that the processing of personal data by the controller must be essential for the proper performance of the contract concluded between the controller and the data subject andtherefore, that there are no workable, less intrusive alternatives (para 99).

“Personalised content does not appear to be necessary in order to offer that user the services of the online social network.”

CJEU

The CJEU acknowledges that personalized content is useful for users, as it enables them to view content corresponding to a large extent to their interests. However, the CJEU states that “personalised content does not appear to be necessary in order to offer that user the services of the online social network”. Rather, “those services may, where appropriate, be provided to the user in the form of an equivalent alternative which does not involve such a personalisation, such that the latter is not objectively indispensable for a purpose that is integral to those services” (para 102).

Moreover, the CJEU sees no justification based on the consistent and seamless use of Meta’s own services, as there is no obligation for a user to subscribe to other services offered by Meta to create a user account in Facebook, since the other services offered by Meta can be used independently of each other (para 103).

The CJEU concludes that the processing of personal data from services offered by Meta other than Facebook does not appear to be necessary for the provision of the service of Facebook (para 104).

b. Limited legitimate interests of Facebook

With regards to the legal basis of Article 6(1)(f) GDPR, the CJEU takes a similarly restrictive interpretation of Facebook’s legitimate interests to process the users’ Social Network Data.

For the assessment of Facebook’s legitimate interest, the CJEU stresses that “the interests and fundamental rights of the data subject may in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect such processing” (para 112; c.f. recital 47 GDPR).

Although the CJEU acknowledges a general legitimate interest of Facebook in personalizing its content, there are strict limitations on controllers that want to rely on this legal basis. In particular, processing is limited to what is “strictly necessary for the purposes of that legitimate interest”(para 126).

Although the CJEU acknowledges a general legitimate interest of Facebook in personalizing its content, there are strict limitations on controllers that want to rely on this legal basis.

The CJEU states that despite the fact that the services of Facebook are free of charge, the user “cannot reasonably expect that the operator of the social network will process that user’s personal data, without his or her consent, for the purposes of personalised advertising”. Consequently, according to the CJEU, in those circumstances, the interests and fundamental rights of such a user override the interest of Facebook in such personalized advertising by which it finances its activity (para 117).

The CJEU emphasises that due to the social network’s extensive processing of “potentially unlimited data” this “has a significant impact on the user”, as, according to the CJEU, a large part – if not almost all – of the user’s online activities are monitored by Meta, “which may give rise to the feeling that his or her private life is being continuously monitored” (para 118).

Additionally, the CJEU provides strict instructions to the OLG Düsseldorf on the interpretation of Meta’s other interests, such as ensuring network security and product improvement (paras 119 et seq.). However, these interests still have to override the users’ interests, which – at least for “product improvement”, according to the CJEU, “appears doubtful […] given the scale of that processing and its significant impact on the user, as well as the fact that the user cannot reasonably expect those data to be processed by Meta Platforms Ireland” (para 123).

c. Limitations and requirements for obtaining lawful consent

If, pursuant to the CJEU’s limitations set out above, other legal bases of Article 6(1) GDPR do not apply, personalized data processing of Social Network Data may only be based on the users’ consent (Article 6(1)(a) GDPR).

The CJEU states that even if the operator of an online social network holds a dominant position on the social network market, this “does not, as such, prevent the users of that social network from validly giving their consent” (para 147). However, such “circumstance must be taken into consideration in assessing whether the user of that network has validly and, in particular, freely given consent” (para 148). Moreover, according to the decision of the CJEU, “the existence of such a dominant position may create a clear imbalance […] between the data subject and the controller, that imbalance favouring, inter alia, the imposition of conditions that are not strictly necessary for the performance of the contract” (para 149).

Against this backdrop, the CJEU sets out the following requirements for a lawful consent to such processing (paras 150 et seq.):

  • “users must be free to refuse individually, in the context of the contractual process, to give their consent to particular data processing operations not necessary for the performance of the contract, without being obliged to refrain entirely from using the service offered by the online social network operator”;
  • hence, “users are to be offered, if necessary for an appropriate fee, an equivalent alternative not accompanied by such data processing operations”;
  • it is appropriate for users to have the possibility of giving separate consent for the processing of the data relating to their conduct within the social network, on the one hand, “and the off-Facebook data, on the other” (to be ascertained by the OLG Düsseldorf whether such a possibility exists);
  • if no separate consent is possible, “the consent of those users to the processing of the off-Facebook data must be presumed not to be freely given”.

Legal assessment

The decision provides clarity regarding the (in Germany) long-controversial question of whether the FCO is allowed to investigate and enforce data protection violations. Undertakings with a dominant market position will have to pay even closer attention to GDPR compliant practices. However, the violation of GDPR rules constitutes a new de facto group of cases in the systematics of Article 102 TFEU. This will lead to new unresolved issues, e.g., it is unclear to what extent the data protection violation must be based on the dominant market position.

Furthermore, the decision may result in a duty to cooperate for data protection supervisory authorities not only with the respective national competition authorities, but also with other authorities. In particular, the new EU digital regimes such as the EU Digital Services Act, the proposed EU AI Act or the proposed EU Data Act require national authorities to be installed by the Member States. Consequently, in light of this decision, these authorities might also be entitled to investigate and enforce data protection violations in cooperation with the data protection supervisory authorities.

The decision creates significant challenges to base the processing of personal data for personalized services and targeted advertising on the legal bases of the performance of a contract or legitimate interests.

For companies with data driven business models and a dominant market position such as Meta, the decision creates significant challenges to base the processing of personal data for personalized services and targeted advertising on the legal bases of the performance of a contract or legitimate interests. In particular, the new interpretation of the CJEU that the performance of a contract must be “objectively indispensable for a purpose that is integral to the contractual obligation” significantly narrows the scope of Article 6(1)(b) GDPR. However, the decision of the CJEU still leaves sufficient room for interpretation and does not entirely rule out a prevailing legitimate interest of the social media platform.

It remains to be seen how national courts, consumer protection associations, data protection supervisory authorities and competition authorities will react to and interpret the decision. Nevertheless, due to the strict limitations imposed by the CJEU, some data driven business models currently based under Articles 6(1)(b) and 6(1)(f) GDPR will from now on have to be consent-based to be GDPR compliant. In this context, allowing users to give granular consent to specific services and providing alternative usages of platforms without the processing of their personal data for personalized marketing in return for an appropriate fee might be the solution.

Moreover, with the EU Digital Markets Act (DMA) similar rules as those imposed by the CJEU in this decision already apply to data driven businesses with a strong market position, so-called gatekeepers. In particular, Article 5 DMA restricts the combination of on-platform and off-platform personal data for gatekeepers unless the user has been presented with a specific choice and has given GDPR consent to this data processing.

Verena Grentzenberg is a data protection and cybersecurity lawyer and partner in the DLA Piper office in Hamburg. Associates Philipp Schmechel, specialist in data protection and cybersecurity law, and Dr Jonas Kranz, with a focus on antitrust law, are also based in Hamburg.