Meta platforms : How the CJEU leaves competition and data protection authorities with an assignment 1

A. Data protection concepts impact competition law, but less so the other way around?

The CJEU clearly confirms the ability of national competition authorities to check the consistency of personal data processing with the GDPR where relevant to assess the existence of an abuse of dominance. While acknowledging that data protection and competition authorities have different functions and tasks, the CJEU notes that there is no provision in the GDPR preventing national competition authorities from finding a violation of the GDPR in the performance of their duties. ¹⁵ In the view of the CJEU, the compliance of conduct with the GDPR may be ‘a vital clue among the relevant circumstances of the case’ in order to establish whether that conduct meets the competition rules. ¹⁶ According to the CJEU, access to personal data has become a significant parameter of competition in the digital economy. Therefore, excluding the GDPR rules from the legal framework to be considered by competition authorities in abuse of dominance cases ‘would disregard the reality of this economic development and would be liable to undermine the effectiveness of competition law within the European Union’. ¹⁷

The CJEU is less unequivocal about whether competition concepts matter for interpreting the scope of data protection law. As Advocate General Rantos also pointed out in his Opinion, ¹⁸ the CJEU argues that the dominance of a social network provider must be taken into account in determining whether a user has validly and freely given consent but does not, as such, render consent invalid. ¹⁹ Following this nuanced position, the CJEU does express serious doubts about whether the consent of Facebook users can be considered freely given. The CJEU notes that Article 7(4) GDPR requires users to be free to refuse consent for data processing activities that are not necessary for the performance of a contract and that the processing at stake does not appear to meet this threshold. ²⁰ Given the scale of the data processing and its significant impact on Facebook users, the CJEU also submits that it is appropriate to give users the possibility of giving separate consent for the processing of data within the Facebook social network and for the off-Facebook data. In the absence of such a possibility, the consent of users to the processing of off-Facebook data must be presumed not to be freely given in the view of the CJEU. ²¹ Finally, the CJEU stipulates that users must still be able to use the social network if they refuse consent for data processing activities that are not necessary for the performance of the contract. According to the CJEU, this means that users have to be offered an equivalent alternative not accompanied by such data processing operations – if necessary, for an appropriate fee. ²²

B. Assessing personal data processing by a powerful player

Beyond its strict interpretation of consent, the CJEU also approaches the other legal bases for personal data processing under the GDPR restrictively, namely performance of a contract, legitimate interests of the data controller, compliance with a legal obligation, performance of a task in the public interest and protection of the vital interests of data subjects.

For determining the necessity of data processing for the performance of a contract, the CJEU lays down a standard of data processing being ‘objectively indispensable for a purpose that is integral to the contractual obligation intended for the data subject’ and requires ‘no workable, less intrusive alternatives’ to be present. ²³ In the case at hand, the CJEU argues that the provision of personalized content and the consistent and seamless use of Meta's own services do not appear to be necessary for offering a social network service. ²⁴

With regard to the legitimate interests of the data controller as a legal basis for data processing, the CJEU finds that the interests and fundamental rights of users override the interests of a social network provider in offering personalized advertising because users cannot reasonably expect such use of their personal data – even though social network services are offered free of charge. ²⁵ Similarly, the CJEU notes that it is doubtful that the controller's interest in improving a product or service to make it more efficient or attractive outweigh the interests and fundamental rights of users. ²⁶ The CJEU continues by stating that the sharing of information with law enforcement agencies cannot constitute a legitimate interest because it is unrelated to the economic and commercial activity of Meta. At most, such data processing may be justified when objectively necessary for compliance with a legal obligation. ²⁷

In the context of the legal basis involving compliance with a legal obligation under Article 6(1)(c) GDPR, Meta referred to the need to ‘respond to a legitimate request for certain data’. And in order to claim that the data processing is necessary for the performance of a task carried out in the public interest under Article 6(1)(e) GDPR, Meta relied on its purpose to ‘research for social good’ and to ‘promote safety, integrity and security’. ²⁸ While the CJEU left it to the Düsseldorf Court to assess whether Meta is indeed under a legal obligation to collect personal data in a preventive manner in order to be able to respond to requests from national authorities to provide user data, ²⁹ it is in its view unlikely that Meta was entrusted with a task carried out in the public interest to conduct research for the social good and promote safety, integrity and security, given the economic and commercial nature of the data processing. ³⁰

Finally, Meta tried to justify its data processing on the ground that it is necessary to protect the vital interests of data subjects. In response to this claim, the CJEU stated that Meta, who is pursuing activities of an economic and commercial nature, ‘cannot rely on the protection of an interest which is essential for the life of its users in order to justify, absolutely and in a purely abstract and preventive manner, the lawfulness of data processing’. ³¹

C. Coordination framework set up by the CJEU

Another insightful part of the judgment is where the CJEU sets out a general framework for cooperation between data protection and competition authorities in absence of any specific rules in EU law. Building upon the duty of sincere cooperation of Article 4(3) of the Treaty on the European Union, the CJEU explains that competition authorities are required ‘to consult and cooperate sincerely’ with data protection authorities to ensure that the rules and objectives of the GDPR ‘are complied with while their effectiveness is safeguarded’. ³² The CJEU then lays down a number of steps to be followed.

If the conduct at stake or similar conduct has already been the subject of a decision by a data protection authority or the CJEU, the competition authority cannot depart from the decision. ³³ Where a competition authority has doubts about how its investigation relates to earlier or ongoing work in the area of data protection, it has to consult and seek the cooperation of the competent or lead data protection authority. ³⁴ In turn, the data protection authority must respond to such a request for information or cooperation within a reasonable period of time. ³⁵ If the data protection authority does not reply within a reasonable time, the competition authority may continue its investigation. The same applies if the data protection authority has no objection to a competition investigation being continued. ³⁶ In the case at hand, the CJEU concludes that the Bundeskartellamt appears to have fulfilled its obligations of sincere cooperation because it notified the relevant German data protection authorities and the Irish Data Protection Commission, as the lead data protection authority, who all raised no objections to its actions. ³⁷

A. How data protection and competition law interact with each other

Considering the earlier controversy about the relevance of data protection rules for competition law, ³⁸ the CJEU's unambiguous confirmation that competition authorities can rely on data protection law in their assessment may seem striking. However, judgments like AstraZeneca ³⁹ and Allianz Hungaria ⁴⁰ already recognized that the breach of another area of EU or national law beyond competition law can be a factor in determining a violation of the competition rules as well. AstraZeneca dealt with misuse of regulatory procedures to obtain a patent and Allianz Hungaria concerned a breach of domestic insurance law. It is therefore no real surprise that the CJEU confirms that competition authorities can also look at data protection law when conducting competition investigations. While the reference to the need to prevent competition law's effectiveness being undermined ⁴¹ is not unprecedented but a phrase that the CJEU uses more often to support an expansive interpretation of the competition rules, the strong language is nevertheless noteworthy. The CJEU almost presents it as a stated fact that data protection concepts influence competition law.

The CJEU uses less strong language when determining the relevance of the dominance of a data controller under competition law for determining whether consent is valid under the GDPR. While stating that the dominance of a data controller does not by itself prevent users from giving valid consent, the CJEU's detailed stipulations do substantially limit the circumstances in which a powerful player can demonstrate that it has obtained valid consent. Where personal data is combined across services, it seems that consent can only still be regarded as valid when users can separately provide or refuse consent for any processing that is not strictly necessary for the performance of a contract. This clarification by the CJEU considerably restricts Meta's ability to combine personal data from different sources and between different services under the GDPR.

Considering the strong language used by the CJEU to reject the other legal bases Meta invoked as well, the Düsseldorf Court has little room to still find that Meta's data processing is consistent with the GDPR. This part of the judgment, in which the CJEU comments on all legal bases for data processing under the GDPR, will probably be referenced the most in the future because of the clear and outspoken explanations. The Norwegian Data Protection Authority already relied on this part of the CJEU’s reasoning to impose a temporary ban on Meta on 14 July 2023 to carry out behavioural advertising based on the surveillance and profiling of users in Norway. ⁴² It therefore seems that the CJEU's judgment could be a turning point in how Meta processes personal data. Another relevant issue is how the judgment in Meta Platforms will affect future personal data processing by others.

B. The future of personal data processing after Meta Platforms

In this regard, it is worth noting that the powerful position of Meta seems to have influenced the CJEU's assessment of the different legal bases under the GDPR. In several instances, the CJEU refers to the scale of the data processing and its significant impact on users. ⁴³ It therefore seems that the judgment supports a more asymmetric interpretation of the duties of data controllers under the GDPR, where a larger scale and impact implies that data controllers are more restricted in their data processing activities. ⁴⁴ This is also in line with the so-called risk-based approach to the GDPR, according to which stricter conditions are attached to issues like data protection by design, the security of processing and the implementation of data protection impact assessments depending on the risk involved. ⁴⁵ Following this reasoning, the judgment will thus likely also limit the extent to which other large providers of advertising-based platforms beyond Meta can still process and combine personal data across their portfolio of own and affiliated services without violating the GDPR.

Next to the GDPR, the Digital Markets Act (DMA) requires gatekeepers who provide core platform services ⁴⁶ to refrain from combining personal data across services unless the end user has given consent within the meaning of the GDPR. ⁴⁷ This provision is based on the Bundeskartellamt's case against Meta, so that the DMA thus now imposes the same requirement on other gatekeeping platforms. According to recital 36 to the DMA, to prevent gatekeepers from unfairly undermining the contestability of core platform services, end users need to be offered a less personalized but equivalent alternative, without making the use of a core platform service or certain of its functionalities conditional upon consent. The CJEU seems to have been inspired by the recital, as it interpreted the concept of GDPR consent in the same way by stating that users must be offered an equivalent alternative when they refuse consent for data processing activities that are not necessary for the performance of the contract. ⁴⁸

A question that the judgment leaves open is whether the GDPR can be interpreted in the same way for small-scale personal data processing activities of data controllers that do not qualify as dominant firms or gatekeepers under, respectively, competition law and the DMA. While the GDPR lays down a minimum level of data protection to which all data controllers are bound, the DMA targets a subset of the most powerful digital platforms. Because of this nature of the DMA, it may thus be that its data protection-relevant provisions, including regarding personal data combination, can be seen as a ‘GDPR plus’ regime by requiring more from gatekeepers than what stems from the regular interpretation of the relevant GDPR rules. Such an approach would ensure that gatekeepers are indeed bound by stronger obligations than the ones already laid down in other legal regimes beyond the DMA. This would also imply that the GDPR, as suggested above, tailors its standards of interpretation to the scale and scope of the personal data processing by the respective data controller, where less strict requirements apply to players engaged in smaller or less risky processing activities. Whether such an approach will indeed be applied following the CJEU's references to the scale and impact of Meta's personal data processing, however, remains to be seen in future cases. Such an asymmetric interpretation of the GDPR rules is arguably welcome to make compliance with data protection law more effective by expecting more from those data controllers who are able to implement stricter duties and whose activities have a larger impact.

C. The assignment for competition and data protection authorities

The entry into force of the DMA will also impact the dynamics in the coordination between competition and data protection authorities. By requiring competition authorities to consult the relevant data protection authorities, the CJEU in Meta Platforms leaves it to data protection authorities to control whether a competition authority can check compliance with data protection rules for the purposes of establishing a competition violation. However, the enforcement of the DMA is in the hands of the European Commission with only an advisory role foreseen for the European Data Protection Supervisor and the European Data Protection Board in the high-level group for the Digital Markets Act. ⁴⁹ Because the DMA regulates practices of gatekeepers to which the GDPR also applies, including personal data combination and data portability, the European Commission will not need the approval of the data protection authorities to monitor these practices. This means that the roles are reversed in the DMA, as compared to the approach laid down by the CJEU in Meta Platforms, with the European Commission controlling enforcement, including the application of any relevant data protection concepts. It is therefore unlikely that competition authorities, and especially the European Commission, will still take up any of the data-related practices now covered by the DMA through using the GDPR as a benchmark for establishing an abuse of dominance, as the Bundeskartellamt has done. For such data-related practices of gatekeepers, the entry into force of the DMA has thus already bypassed the outcome of the Meta Platforms judgment.

However, the coordination framework set up by the CJEU remains all the more relevant for non-gatekeepers and for data-related practices that are not regulated by the DMA. For these cases where competition authorities may wish to rely on the GDPR in the future, the CJEU does not prescribe the exact contours of cooperation and thereby invites competition and data protection authorities to come up with more detailed frameworks or protocols to ensure consistency in the application and interpretation of the GDPR. From the perspective of interpreting data protection concepts for the purpose of establishing a competition violation, the CJEU also states that a competition authority ‘remains free to draw its own conclusions from the point of view of the application of competition law’ even when a relevant decision on the conduct has already been taken by a data protection authority or the CJEU. ⁵⁰ This raises the question what room for deviation there is, considering that competition law has its own, autonomous interpretations of various concepts (think of ‘undertaking’ or ‘agreement’ for instance). The judgment seems to leave leeway for competition authorities to set different thresholds for intervention than the GDPR when interpreting data protection rules for the purpose of establishing a competition violation. An example could be a competition authority finding an abuse of dominance consisting of unfair processing of personal data, even though the data protection authority would not have been able to establish a violation for the same behaviour under the GDPR.