The background of this case and national proceedings
The business model of the social networks operated by Meta Platforms (Facebook, Instagram and WhatsApp) essentially consists of offering social network services free of charge for private users and selling online advertising. The advertising is personalized to individual users and aims to show them products and services that might interest them based on their consumer behavior, interests, purchasing power and personal situation. The technical basis for this type of advertising is the automated production of detailed profiles of users of Facebook and the online services offered at group level. Thus, such advertising is technically made possible through the collection of data about user activities on and off the social network, which is then linked to the Facebook accounts of the users concerned. The latter data, also known as “off-Facebook data”, are data concerning visits to third-party webpages and apps, as well as data concerning the use of other online services belonging to the Meta group.
For the processing of said data, Meta Platforms Ireland relies on the contract for the use of the services, which includes the data and cookies policies, entered into with its users when they click on the “Sign up” button.
The German Federal Cartel Office prohibited Meta Platforms, Meta Platforms Ireland and Facebook Deutschland from (i) making the use of the social network Facebook by private users resident in Germany subject to the processing of their off-Facebook data and (ii) from processing the data without their consent on the basis of the general terms in force at the time. Such decision was based on the fact that since that processing was not consistent with the GDPR, it constituted an abuse of Meta Platforms Ireland’s dominant position on the German market for online social networks.
Hearing an action brought against that decision, the referring court asked the CJEU:
1. whether the national competition authorities may review whether a data processing operation complies with the requirements set out in the GDPR
2. if an internet user merely visits websites or apps to which the criteria of Article 9(1) of the GDPR relate, such as flirting apps, gay dating sites, political party websites or health-related websites or also enters information into them, does the collection and/or linking and/or use by Facebook Ireland of such data involve the processing of sensitive data?
- If so: Does visiting those websites or apps and/or entering information and/or clicking or tapping on the buttons integrated into them by a provider such as Facebook Ireland (social plugins such as ‘Like’, ‘Share’ or ‘Facebook Login’ or ‘Account Kit’) constitute manifestly making the data about the visits themselves and/or the information entered by the user public within the meaning of Article 9(2)(e) of the GDPR?
3. whether Article 6(1)(b), (c), (d), (e) and (f) of the GDPR must be interpreted as meaning that Meta`s practice of collecting data, linking them to the user’s Facebook account and using data from other group services, as well as from third-party websites and apps, can be justified by one of the grounds provided for in those provisions
4. can consent be given effectively and freely to an undertaking having a dominant position in the national market for online social networks for private users?
In a nutshell, the CJEU stated the following:
1 National competition authorities’ competence on the examination of the GDPR
- the CJEU adheres to the AG Rantos Opinion (see also link): in the context of the examination of an abuse of a dominant position by an undertaking, it may be necessary for the competition authority of the Member State concerned also to examine whether that undertaking’s conduct complies with rules other than those relating to competition law, such as the rules laid down by GDPR. However, where the national competition authority identifies an infringement of the GDPR, it does not replace the supervisory authorities established by that regulation. Thus, in view of the duty of sincere cooperation, the national competition authority may not deviate from a decision of the competent national data protection authority.
2. Processing of sensitive data
- CJEU has maintained its previously expressed position (e.g. in Case C-184/20 – OT v Ethics Committee) that sensitive data falling under Article 9 (1) of GDPR are those which “allow the disclosure of information revealing one of the categories covered by this provision” (para. 68 of today’s judgment).
Such a broad interpretation of Article 9 would mean that controllers must also treat as sensitive data certain data which they do not consider as sensitive data, but which allow the disclosure of such information.
- The CJEU has also stated that for sensitive data to be “manifestly made public” (as required by Art. 9 para. 2 lit. (e) GDPR)), it is not sufficient for the data subject to upload his/her data on the social media platform or to use the buttons offered by that platform (e.g. “like”, “share”), but it would also be necessary for the data subject to explicitly express his/her choice in advance (e.g. by explicitly making individual settings to make the publication accessible to an unlimited number of persons on the social media platform).
3. Lawfulness of processing – legal grounds
- An important development was offered by the Court on the idea of necessity in the contractual context. Thus, the contractual basis could be relied upon by the controller if that processing is objectively necessary for the performance of the contract (which also derives from the GDPR and what is normally understood in practice in this case). But the CJEU also adds the requirement that the controller must be able to demonstrate that the main purpose of the contract could not be performed without the processing in question.
By introducing this additional requirement, it could be expected that the scope of the contractual ground will be reduced to a certain extent, making it more difficult for the processing to be justified on this ground.
- As regards the legitimate interest legal ground, CJEU followed AG Rantos`s Opinion, which is in line with the practice followed so far in this respect. Thus, in order to rely on legitimate interest it is necessary to assess that:
- the processing is limited to what is strictly necessary to achieve the legitimate interest, and
- the interests, freedoms and rights of the data subjects do not override that legitimate interest.
Normally, these assessments are made in the context of legitimate interest assessments (LIA).
- Regarding the legal obligation ground, CJEU states that here too there are several conditions to be met, namely that:
- the legal provision must meet a public interest objective
- the legal provision must be proportionate to the legitimate objective pursued by the data processing, and
- the data processing is carried out only to the extent strictly necessary.
As a comment on our part, a company cannot disregard an obligation imposed by law on the grounds that it does not consider that it pursues a public interest objective. However, the company will have to ensure that the fulfilment of that legal obligation is achieved having in mind that the data processing is carried out to the extent that is strictly necessary to comply with the legal provision, as least intrusive as possible and respecting the principle of minimization.
4. Validity of consent in the case of a controller holding a dominant position
- According to CJEU, the fact that the operator of an online social network, as controller, holds a dominant position on the social network market does not, as such, prevent its users from validly giving their consent to the processing of their personal data. However, that factor must be taken into account when determining whether the consent was in fact validly and, in particular, freely given.
We argue that this idea could be extrapolated to other areas of data processing.