On 4 July 2023, in its judgment C-252/21 Meta Platforms Ireland and Others v Bundeskartellamt, the Court of Justice of the EU (the “Court”) ruled on the interplay between the EU’s competition and data protection regulations, as well as on the core of the business model of the worldwide leading social networks operator. The preliminary ruling was issued following a request lodged by the courts of the Federal Republic of Germany.
Background to the dispute
Back in 2019, the Bundeskartellamt, Germany’s competition authority, found that Meta Platforms Ireland (“Meta”), the EU operator of Facebook as well as several other platforms, abused of its dominant position on the German social networks markets. The alleged abuse touched upon the very core of Facebook’s financial engine, based on profiling users and sending them tailored-made advertisements.
When agreeing to Facebook’s terms, users actually also have to subscribe to a data and cookies policy allowing the social network to track their movements on the web. It can then proceed to a wide-scale collection of personal data disseminated on off-Facebook websites and their combination to data provided by signing up to Facebook. The absence of competitors providing comparable services may push users to agree to these policies.
In light of this, the Bundeskartellamt forbade Meta from making the use of Facebook subject to processing user’s data collected off-Facebook, as well as processing these without prior collecting the consent of data subjects. In reaching this conclusion, the authority considered that the processing of the data collected off-Facebook infringes upon the principles underpinning of the General Data Protection Regulation (“GDPR”).
The issues at stake
The match played in the procedure before the Court was certainly important on both sides. On the one hand, prior to the Court’s ruling, it was unclear whether a national competition authority (“NCA”) could use the provisions of the GDPR as part of its assessment on an abuse of dominance, which made it uncertain whether the conclusions of the Bundeskartellamt would be well-grounded. On the other hand, this was a challenge to Meta’s entire business model, key to the group’s economic success.
The findings of the Court
On the first point, the Court acknowledged that, in competition law enforcement, NCAs may also need to examine whether the practices of an enterprise comply with the GDPR. Consequently, if required to establish the existence of an abuse of dominance, the Bundeskartellamt could conclude that Meta’s data processing policies be incompatible with the GDPR. In application of the principle of (horizontal) loyal cooperation, NCAs need to abide by fellow data protection authorities’ decisions (Article 51 of the GDPR) absent any precedent, they should consult and seek their cooperation.
On the second point, the Court considered essentially that the use of cookies or other storage technologies may entail the collection off-Facebook of personal data falling within special categories, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, etc. (Article 9.1 of the GDPR). Processing personal data of this kind is in principle prohibited under the GDPR but could be justified under the derogations per Article 9.2 thereof. In particular, data processing would be allowed if users manifestly made public their consent thereto (Article 9.2 (e) of the GDPR). However, the fact users visit the web and disseminate therein personal data (subsequently “captured” by cookies) is not equivalent to expressly providing such consent, which should have been given explicitly in advance.
Neither would Meta's processing operations be justified under the provisions of the GDPR allowing data processing without the data subject’s consent. In particular, the Court was doubtful whether the processing of personal data is objectively indispensable to perform the contract to which the user is part (Article 6.1 (b) of the GDPR), as its purpose may be achieved without carrying out such action and referred to national courts to carry out this assessment.
The way forward
The Court intended to be clear: the fact that a data controller holds a dominant position, solely of itself, does not prevent users from validly giving their consent to the processing of their personal data. However, dominance may deter users from providing their consent freely, as, absent competitors providing comparable services, they need to adhere to an aggressive cookies policy aimed at profiling them, if they want to access to social network services.
Share on
