The role of EU data protection law in the realm of competition law – Insights from the Meta judgment of the European Court of Justice
In parallel to the rise of the tech giants, the interplay between EU competition and data protection law has attracted increasing attention. This relationship was at the core of the 2019 Meta decision of the German Federal Cartel Office (Bundeskartellamt, BKartA), in which the authority held that Meta (formerly known as Facebook) had exploited its dominant position on the German market for social networks for private users by collecting, combining, and analysing so-called "off-Facebook" user data for personalised advertising, both from other Meta and third-party services.
In essence, the case revolved around the questions whether Meta's practices constituted infringements of the EU General Data Protection Regulation (GDPR) and whether such infringements could amount to anti-competitive behaviour. On July 4, 2023, the European Court of Justice (ECJ) answered both these questions in the affirmative, underscoring the importance of personal data as a key competitive asset for the digital economy. In addition, the Court provided a rather detailed road map for the cooperation of competition authorities with data protection authorities (DPA) competent for the enforcement of the GDPR. While data protection findings and investigations of the competent DPAs need to be respected, competition authorities remain free to draw conclusions under competition law.
In reaction to the ECJ’s judgment, Meta has recently announced a potentially historic shift towards a user consent-based data processing model. However, since the announcement’s wording leaves open potential loopholes, the actual extent of this shift remains unclear.
I. Background
On February 6, 2019, the BKartA adopted an innovative stance, holding that infringements of the GDPR may indicate an abuse of a dominant position under competition law, more specifically under § 19(1) German Competition Act (Gesetz gegen Wettbewerbsbeschränkungen, GWB). The BKartA held that Meta had abused its dominant position on the social network market for private users by processing user data originating from outside the social network Facebook without users’ valid consent. This so-called “off-Facebook data” had been collected both from other services owned by Meta (i.e. Instagram, WhatsApp, Oculus) and third-party apps or websites to refine targeted advertising.[1]
While the Düsseldorf Court of Appeals (Oberlandesgericht, OLG) had initially granted Meta’s appeal the effect to suspend enforcement of the BKartA’s decision,[2] its verdict was soon overturned by the German Federal Court of Justice (Bundesgerichtshof, BGH).[3] This did however not prevent the OLG Düsseldorf from, as part of the main proceedings, referring to the ECJ questions on the interpretation of certain provisions of the GDPR and the competence of competition authorities to assess their infringement.[4] On September 20, 2022, Advocate General (AG) Rantos expressed his affirmative opinion on the matter,[5] which was confirmed and further reinforced by the judgment of the European Court of Justice (ECJ) delivered on July 4, 2023.[6]
II. Core findings of the ECJ
1. The relationship between the GDPR and competition law
Most importantly, the Court confirmed the BKartA’s innovative approach that violations of the GDPR may also indicate violations of competition law, in circumstances where a dominant undertaking such as Meta is concerned. This is because “personal data and the fact that it is possible to process such data have become a significant parameter of competition between undertakings in the digital economy”.[7] Thus, the ECJ held that the GDPR and competition law, while distinct, can overlap, especially in markets where data is a crucial asset. Hence, the Court’s reasoning is grounded in the assumption of a strong link between the personal data processed and the competitive process on the market (for social networks) concerned.
With regard to the competence of competition authorities such as the BKartA to assess potential data protection law infringements and potentially deduct legal consequences, the ECJ introduced a specific framework for interaction with the DPA responsible for the enforcement of the GDPR.[8] Based on the principle of cooperation laid down in Art. 4(3) TFEU, the Court held that competition authorities should initially ascertain whether a specific behaviour is or has already been addressed by the competent DPAs or the CJEU. While the competition authority may not depart from the data protection findings of such a decision, it “remains free to draw its own conclusions from the point of view of the application of competition law”.[9] Thus, although the two areas of law may be particularly intertwined in the attempt to reign in digital economy, conduct compliant with data protection law may still infringe competition law – and vice versa.
2. Meta’s infringements of the GDPR
However, the ECJ also deemed Meta’s practice to collect, combine and analyse “off-Facebook” user data with “on-Facebook” data without explicit and informed user consent incompatible with the GDPR.
First, the Court held that while some data processing can be justified as necessary for the performance of a contract under Art. 6(1)(b) GDPR, Meta's broad data collection practice went beyond these boundaries.[10] In evaluating whether Meta could use the performance of its contract with the user as a legal base for its processing practice, the ECJ observed that although content personalisation may benefit users, it cannot be deemed essential for delivering online social networking services. For Art. 6(1)(b) GDPR not to serve as a circumvention of the other legal bases, the data processing must be "objectively indispensable" for an aim that is "integral to the contractual obligation".[11]
With regard to Meta’s argument around its legitimate interest in data processing for personalised advertising (Art. 6(1) (f) GDPR), the ECJ clarified that such interest cannot override the fundamental rights and freedoms of data subjects which require protection of personal data.[12] Although the ECJ acknowledged that the use of personal data for personalised ads might theoretically constitute a legitimate interest, it held that Meta's data processing activities could not pass the balancing test required by Art. 6(1) (f) GDPR. Most importantly, this reasoning relies on the Court’s assumption that Meta's processing practice would not have reasonably been expected by Facebook users.[13]
As the ECJ also found that this practice could not be justified by legal obligations (Art. 6(1)(c) GDPR),[14] protection of vital interests of the data subject (Art. 6(1)(d) GDPR),[15] or tasks carried out in the public interest (Art. 6(1)(e) GDPR),[16] the ECJ identified freely given consent under Art. 6(1)(a) GDPR as the only possible justification in the circumstances at hand.[17] However, the Court went on to indicate that Meta's claim to have obtained such valid consent must be refuted, as it had neither been informed nor explicit.[18] To reach this conclusion, the ECJ emphasised that an undertaking’s market dominance can – while it does not, as such, prevent valid consent – influence whether consent is freely given.[19] Where users are pressured to give their consent by a lack of alternative or face exclusion from the platform, the validity of such consent can be questioned. In particular with regard to the off-Facebook data, the Court indicated that Meta's requirement of user consent to process non-essential data for accessing Facebook might have created such a coercive environment.
III. Enforcement & reactions
1. The BKartA’s decision
On June 7, 2023 – i.e. even before the ECJ’s ruling – the BKartA announced a partial agreement with Meta regarding the implementation of the parts of its decision concerning personal data shared within the Meta conglomerate, i.e. between Facebook and Meta’s other services.[20]
The partial agreement requires Meta to ensure that its customers may freely choose between using Meta's services either separately or in a combined form through an account management center. Opting for the combined format will provide additional features such as crossposting, but also mean that Meta will process the consolidated data for personalised advertising. As users’ consent must be obtained freely, it will have to be reiterated where it was not. Only in specific scenarios will data processing be permissible without specific user consent, especially for security reasons. Reaching the very heart of several tech giants’ business models based on the processing of personal data, these requirements mark a significant shift towards preventing the indiscriminate sharing of user data across platforms.
By contrast, no agreement has been reached so far between the BKartA and Meta with regard to off-Facebook data generated by third-party websites and apps. This personal data, often gathered without explicit and informed user consent, is symptomatic of the conflict between tech giants’ interest to refine their advertising and monetisation strategies and the need to ensure user autonomy and privacy. Given the strong tailwind generated by the ECJ ruling, it can however be assumed that the BKartA will not agree to a less clear-cut solution than the one adopted for personal data generated by Meta services. The negotiations’ outcome is likely to set a relevant precedent for other digital players.
2. Norwegian DPA: temporary ban
Less than two weeks after the ECJ’s judgment, the Norwegian Data Protection Authority (Datatilsynet) reacted by issuing a preliminary administrative order against Meta.[21] This provisional measure, effective for an initial period of three months starting on August 4, 2023, bans Meta from processing the personal data of Facebook users based in Norway for behavioural advertising purposes. Drawing on Article 6(1)(b) and (f) of the GDPR, Datatilsynet’s injunction underscores that Meta has yet to stop the GDPR infringements confirmed by the ECJ. Although temporary, the Norwegian provisional measure may well establish a potential blueprint for other (data protection) authorities.
3. Meta’s announcement to shift to “consent” as its primary base for processing
In reaction to these enforcement steps, the ECJ judgment, and an earlier decision of the European Data Protection Board delivered through the Irish Data Protection Commission,[22] in a long-awaited step on August 1, 2023, Meta announced its intention to shift from "legitimate interest" (Article 6(1)(f) GDPR) to "consent" (Article 6(1)(a) GDPR) as its primary legal base for processing “certain data for behavioural advertising”.[23] If implemented across the board, this reorientation would mark a profound shift in Meta's data processing history.
However, due to the wording of Meta’s announcement potentially limiting the shift’s scope to “behavioural” personal data, it has already come under critical scrutiny.[24] Until the transition is completed, ambiguity will indeed remain around the extent to which data processing functionalities will be subject to the adaptation of Meta’s data processing policy. By way of example, it currently remains unclear whether the age or name of a user will be deemed personal data processed for "behavioural advertising" by Meta.
IV. Conclusion & outlook
As Meta navigates these regulatory waters, the ECJ’s judgment is likely to not only set the future and shape of its core business model, but also influence the global digital economy as a whole. Though echoing much of AG Rantos’ opinion, the ECJ provides a clearer blueprint for future interactions between competition authorities and DPAs. In doing so, the ECJ’s judgment firmly establishes that GDPR infringements can also be assessed by competition authorities when analysing their impact through the (independent) lens of competition law. Thus, dominant companies, especially in data-driven markets, must not only ensure that their data processing operations comply with data protection law for its own sake, but also to make sure infringements do not amount to an abuse of a dominant position on the respective market.
Whether this reasoning can be extended to other regulatory areas remains to be seen. In case the ECJ reasoning is transferable, these other areas – such as the laws regulating environmental, social and corporate governance (ESG) – could henceforth also play a role in the assessment of competition law infringements by the competent (competition) authorities. At first glance, this would appear to be the case, as regulatory requirements such as ESG laws play an increasingly important role for the competitive process and customers’ choice. Thus, these (and other) provisions have (or at least will) become a “significant parameter of competition” in the sense of the ECJ’s Meta judgment.[25] By consequence, the imminent question will rather be where – if at all – to draw the line to delimit fields that cannot (yet) be considered to regulate significant parameters of competition.
*Dr. Ann-Christin Richter is Deputy Managing Partner and Dr. Merlin Gömann is an Associate in Berlin
Footnotes
[1] BKartA, Decision of February 6, 2019, B6-22/16.
[2] OLG Düsseldorf, Decision of August 26, 2019, VI-Kart 1/19 (V).
[3] BGH, Decision of June 23, 2020, KVR 69/19.
[4] OLG Düsseldorf, Decision of March 24, 2021, Kart 2/19 (V).
[5] AG Rantos, Opinion of September 20, 2022, C‑252/21.
[6] CJEU, Judgment of July 4, 2023, C‑252/21 (hereinafter: „judgment“).
[7] Judgment, para. 51.
[8] Judgment, para. 53 et seq.
[9] Judgment, para. 56.
[10] Judgment, para. 97 et seq.
[11] Judgment, para. 98.
[12] Judgment, para. 103.
[13] Judgment, para. 112.
[14] Judgment, para. 124 et seq.
[15] Judgment, para. 135 et seq.
[16] Judgment, para. 133 et seq.
[17] Judgment, para. 140 et seq.
[18] Judgment, para. 78, 142 et seq.
[19] Judgment, para. 147 et seq.
[20] BKartA, Press Release of June 7, 2023.
[21] Datatilsynet, Urgent and Provisional Measures – Meta of July 14, 2023.
[22] For more information on the latter see https://www.hausfeld.com/en-de/what-we-think/competition-bulletin/the-inside-scoop-on-the-cjeu-s-decision-in-i-unilever-v-agcm-i-1/.
[23] Meta, How Meta Uses Legal Bases for Processing Ads in the EU, Update on August 01, 2023.
[24] Noyb, Meta apparently switches to consent for behavioral ads after five years of litigation, August 01, 2023.
[25] Judgment, para. 51.