In a nutshell, in respect to the questions referred to for a preliminary ruling before the Court, the Advocate General concluded that:
- a competition authority, while not competent to establish a violation of the GDPR, may examine, as an incidental question, the compliance of the practices investigated with the rules of the GDPR;
- it can be considered as processing of sensitive data the collection of such data carried out by an operator of an online social network (such as Facebook) when the user visits other websites or apps or enters such data into those websites or apps if the operator collects such data, links such data to the user account on the social network and uses such data – to the extent the information processed, individually or aggregated, allows to profile the user based on the categories that emerge from the types of sensitive personal data;
Note: AG Rantos makes reference to the EDPB Guidelines 8/2020 on the targeting of social media users, paragraph 124, stating that the mere fact that a social media provider processes large amounts of data which potentially could be used to infer special categories of data does not automatically mean that the processing falls under art. 9 of the GDPR (footnote 44 of the opinion).
- processing data in the manner described above may be lawful under art. 6(1)(b), (c), (d), (e) and (f) of the GDPR as long as each data processing method examined fulfils the requirements of the legal basis relied upon;
Note: In the context of necessity for the performance of a contract to which the data subject is party (art. 6(1)(b) of the GDPR), it was mentioned that the data collected in the manner described above were needed for a personalized content and continuous, seamless use of the Meta group’s products (or rather services). AG Rantos has indicated that although attaining these objectives may be in the user’s interest, useful or even preferable on occasion for the user, it is not apparent to Mr. Rantos that this processing is also necessary in order to provide the service of the social network at issue. AG Rantos also stated that consideration should also be given to the fact that the processing does not refer to data relating to user’s activities on the Facebook site or app, but data originating from external and therefore potentially unlimited sources (para. 53-57 of the opinion). In the context of the legitimate interest of the controller (art. 6(1)(f) of the GDPR), AG Rantos analyzes the justifications of personalization of advertising, network security and product improvement. In the case of each such justification, while not giving a clear-cut answer, he seems to be sceptic that the processing for such reasons would pass the three-step test of the legitimate interest ((i) pursuit of a legitimate interest, (ii) necessity of processing data for the purposes of the legitimate interest pursued and (iii) balancing the interests of the controller and interests and fundamental rights and freedoms of data subjects) (para. 58-66 of the opinion).
- a user does not manifestly make public his or her data, in the meaning of art. 9(2)(e) of the GDPR, when (i) such user visits a website or an app or enters his or her data into those websites or apps or when (ii) such data result from clicking on buttons integrated into those websites or apps;
- the mere fact that an undertaking providing a social network enjoys a dominant position cannot, on its own, render invalid the consent of its users to the processing of his or her personal data, though such a position may play a role in assessing the freedom of consent.;
The press release is available here, and the full opinion is available here.
Following this opinion, we expect now the Court to rule on the aforesaid matters.