On July 4, 2023, the Court of Justice of the European Union (CJEU) issued a ruling in the case involving Meta Platforms Inc., Meta Platforms Ireland, and Facebook Deutschland (Meta). The judgement explores the intersection of competition and privacy law with potentially significant impact on a wide range of businesses, including website/app and online social network operators. Key issues to consider include:
Companies’ GDPR compliance can also be considered by national competition authorities (NCAs) during their investigation of competition law infringements, whether these concern an abuse of dominant position or an anticompetitive agreement. More broadly, it cannot be excluded that the NCAs could take other types of EU legislation into consideration.
A company’s dominant position on a market does not preclude but is an important factor in assessing the validity of users’ consent with its processing of their personal data – such a determination may hinder certain data processing activities of entities subject to the Digital Markets Act (EU) 2022/1925 (DMA).
Simple processing of data about user visits to websites/apps referring to a special of category personal data (without users entering any information/logging in) may mean that this special category of personal data is actually revealed. Any sharing of the visit data with third parties is subject to users’ consent.
Should companies wish to rely on the “performance of a contract” as legal grounds for the provision of an online (social network) service with personalized content, they need to be able to demonstrate the content personalization is “objectively indispensable” for the provision of such service.
Companies that target individuals with personalized advertising on the basis of their “legitimate interests” as legal grounds are reminded that they should carefully balance their legitimate interests against those of the individuals, and if necessary, implement safeguards and document their legitimate interest assessment. Consent is the only alternative to legitimate interest as legal grounds for personalized advertising.
Given the breadth of the CJEU’s key findings, companies should thoroughly consider their potential implications. We explore these in more detail below.
On July 4, 2023, the CJEU issued a preliminary ruling on several questions referred to it by the Düsseldorf Higher Regional Court in Germany, concerning the interplay between data protection and competition law (Judgement). The case involving Meta follows a decision by the German Federal Cartel Office (FCO) finding an abuse of Meta’s dominant position on the market for online social networks for private users in Germany by Meta’s data collection and processing as provided for in its then general terms. The FCO’s investigation focused on user and device-related data collected through Facebook, other Meta-group services (such as WhatsApp, Oculus, Masquerade, and Instagram) and third-party websites/apps, and combined with Facebook’s user data. The FCO found Meta’s then general terms, which make use of Facebook subject to such processing, inconsistent with the General Data Protection Regulation (GDPR).
We outline key findings of the CJEU, as well as potential implications stemming from its Judgement.
Competition Authority’s Powers to Analyze Compliance with Privacy Rules | A Duty of Sincere Cooperation
What Does the Judgement Say?
The CJEU was asked, inter alia, to clarify whether the NCA, which is not a national data protection authority (DPA), could find that a company’s conduct breached the GDPR and issue an order to end such breach, for the purpose of enforcing competition law.
Considering that access to personal data and the fact that it is possible to process such data have become a significant parameter of competition between companies in the digital economy (see Paragraph 51 of the Judgement), the CJEU recalled that there is no provision in the GDPR nor any other instrument of EU law that prevents the national competition authorities from finding, in the performance of their duties, that a data processing operation carried out by an undertaking in a dominant position and liable to constitute an abuse of that position does not comply with that regulation (see Paragraph 43 of the Judgement).
The CJEU considered that NCAs are bound by a duty of “sincere cooperation” when they must examine whether a company’s conduct is compliant with the provisions of the GDPR. In general terms, they are required to consult and cooperate sincerely with the national data protection authority concerned or the lead data protection authority (see Paragraph 54 of the Judgement). The CJEU requires that an NCA must:
ascertain whether that conduct or similar conduct has already been the subject of a decision by the competent DPA, and if so, they must not depart from it;
consult and seek a DPA’s cooperation in order to dispel its doubts or to determine whether it must wait for the DPA to take its decision before starting its own assessment where:
a) the NCA has doubts as to the scope of the assessment carried out by the DPAs,
b) the conduct in question or similar conduct is simultaneously under examination by DPAs, or
c) in the absence of investigation by DPAs, the NCA takes the view that an undertaking’s conduct is not consistent with the provisions of the GDPR.
When a DPA is consulted, it must respond within a reasonable period of time. Absent such a timely response, the NCA may continue its own investigation.
Businesses will need to be more cautious as their GDPR compliance could now be investigated not only by a DPA but also by NCAs. The latter, of course, will have to carry out this investigation in light of their powers, i.e., finding infringements of competition law. This adds another enforcement risk to consider.
Although the judgement relates to a NCA decision on abuse of a dominant position, it cannot be excluded that a similar reasoning will be applied to other types of competition law infringements.
The judgment’s wording can be taken as opening the door for NCAs wanting to investigate and sanction conduct contrary to other types of EU legislation (e.g., telecommunications legislation) in order to find breaches of competition law, whether under Article 101 TFEU or Article 102 TFEU or their national equivalents.
Can a Dominant Company Ever Get Freely Given Consent for Data Processing from Its Users?
What Does the Judgement Say?
The CJEU found that the fact that the operator of an online social network holds a dominant position on the social network market does not automatically prevent the users of that social network from giving their free consent (in line with the GDPR) to the processing of their personal data by that operator. It emphasized, however, that dominance is an important factor in determining whether the consent is freely (i.e., validly) given to the operator and that the operator bears the burden of proof.
The CJEU also concluded that where consent for specific data processing is required, but not given by the user, the operator shall offer (if necessary, for an appropriate fee), a version of the network without such processing. It also clarified that where consent is required, a separate consent would be needed for processing data related to their conduct on and off Facebook.
Similar to the application of the GDPR by NCAs, DPAs might be tempted to consider the application of key competition law concepts, such as finding a company holding a dominant position, in their assessment of GDPR infringements.
Given that the DMA requires end user consent for certain processing of personal data (e.g., combining personal data from the core platform services with further core platform/other gatekeeper’s/ third-party services). A conclusion that such consent is invalid, if requested by a company with a dominant position, would render processing of personal data by gatekeepers for such purposes impossible.
The finding definitively closes the door on the possibility for providers to refuse access to the part of their service, for which processing of user data is not based on consent, to those users who refuse to give such consent. The finding is in line with the EDPB Guidelines on consent.
A More Expansive Interpretation of What Entails Special Categories of Personal Data?
Special categories of personal data can only be lawfully processed by businesses (i.e., data controllers, such as website/app/online social network operators) relying on a very restricted list of legal bases (e.g., individual making such data manifestly public/giving their consent).
What Does the Judgement Say?
The Judgement confirms that when an online social network user visits and enters, as the case may be, information into a website/app, which refers to a special category of personal data (e.g., health-related, political party websites, etc.), processing of such data by an online social network operator (e.g., collection via cookies/other trackers) will be considered ‘processing of special categories of personal data’. A mere processing of information about user visits may reveal sensitive information about them, even if they do not actively enter any data (e.g., by logging-in).
Furthermore, by visiting such websites/apps, the user does not manifestly make such data public. Where a user enters their data into/interacts with the website/app by clicking on a button (e.g., ‘Like’, ‘Share’, enters login credentials), this may be considered as making their data manifestly public if i) this is their prior choice (e.g., through settings); and ii) the user was fully aware that this will make their data publicly accessible to an unlimited number of persons. The CJEU also concluded that the user can expect that data about their visit to any such website/app will only be shared with third parties subject to their explicit consent.
Businesses will need to reassess whether simple processing of data about user visits to websites/apps referring to special categories of personal data (where users do not enter data in the website/app), means that such information is actually revealed.
Keep in mind that even if a business decides that visit data from the website/app with special category data connotation does not automatically reveal special category data, the CJEU nevertheless seems to expect that sharing of such data with third parties would be subject to explicit consent (which is a legal basis reserved for special category data).
Businesses will also need to consider whether their current website/app settings provide the user with a sufficient prior, actual and informed choice to make their data manifestly public.
Businesses which process and share user data via cookies, pixels and other online trackers are required to obtain users’ consent. This is typically done via cookie/online tracker consent banners linked to cookie/online tracker policies. Businesses will have to check if such consent is sufficient for them to process and share special categories of personal data.
“Contract Performance” as Legal Grounds for the Provision of Online Social Network Services
What Does the Judgement Say?
Under the GDPR, the processing of personal data can be relied on as a necessity for the performance of a contract, which suffices as legal grounds for the usage of such data. In the case at hand, the CJEU was asked to assess whether certain processing activities related to the provision of online social media services can rely on the “contract performance” legal ground. The CJEU ruled, in line with the interpretation already held by the European Data Protection Board, that any such processing must be “objectively indispensable” for a purpose that is integral to services provided under a contract with the data subject. It does not suffice that the processing is merely useful for the performance of the contract, what matters is that the processing is essential for the proper performance of the contract, and there are no viable, less intrusive alternatives available. The CJEU emphasizes that it is up to the controller to be able to demonstrate that the processing in question is “objectively indispensable” to the performance of the main subject matter of the contract. Specifically regarding Meta’s reliance on the “contract” legal grounds, the CJEU ruled that the personalization of content in this case does not appear to be “objectively indispensable” for the provision of online social network services, as those services could also be provided to users through an equivalent alternative that does not involve personalized content.
Organizations should first of all check whether or not they are relying on the “completion of contract” legal grounds for the provision of an online (social network) service with personalized content. If so, and they wish to continue relying on this legal ground, they may consider documenting their reasons for doing so. As the CJEU emphasized controllers should be able to demonstrate the content personalization is “objectively indispensable” for the provision of the online (social network) service. If the conclusion of the analysis is the processing is not “objectively indispensable” for the provision of the online (social network) service, organizations should consider relying on alternative legal grounds.
Should organizations rely on alternative legal grounds, in particular consent, it remains to be seen whether national courts and supervisory authorities will interpret this Judgement as implying an obligation on all providers to offer users online (social network) services with both personalized and non-personalized content alternatives, (for those who decline consent).
“Legitimate Interest” as Legal Grounds for Personalized Advertising on Online Social Networks
What Does the Judgement Say?
The CJEU first reiterated the three cumulative conditions which must be met to be able to rely on legitimate interests as legal grounds: (i) the pursuit of a legitimate interest, (ii) the necessity of processing data for that interest, and (iii) the absence of overriding interests or fundamental rights of the data subject. While the CJEU agreed that the processing of personal data for purposes of personalizing advertising can be a legitimate interest, it held that, despite the free nature of online social network services like Facebook, users cannot reasonably expect their personal data to be processed for personalized advertising. In line with previous positions taken by the European Data Protection Board, the CJEU considered the users’ interests and fundamental rights override the interest of the controller (Meta) to engage in personalized advertising, considering the extensive nature of this kind of processing (i.e., the volume and scope of personal data processed) and the significant impact on users, namely a feeling they may have that their private life is continuously being monitored. As a result, the data processing cannot be based on the controller’s legitimate interests.
As the DMA already imposes an obligation on gatekeepers such as Meta, who declared meeting the thresholds of the DMA, to obtain consent from users to process their personal data for the purpose of providing online advertising services (see Article 5(2) of the DMA), the impact on Meta of not being able to rely on its legitimate interests for the purposes of engaging in personalized advertising, may be limited.
However, for other organizations this Judgement reads as a reminder to carefully balance their legitimate interests against those of the individual, and if necessary to implement any safeguards and to document their legitimate interest assessment.
 Judgement of the Court of Justice of the European Union in Case C 252/21, Meta Platforms and Others, dated July 4, 2023, ECLI:EU:C:2023:537, available here
 DMA still allows reliance on Article 6(1), points (c) [legal obligation], (d) [vital interest of the data subject or of another natural person] and (e) [performance of a task carried out in the public interest or in the exercise of official authority vested in the controller] of Regulation (EU) 2016/679, where applicable.
 On July 7, 2023, seven large, systemic platforms notified the European Commission that they meet the thresholds to qualify as gatekeepers under the DMA. Meta was one of these companies.
 European Data Protection Board, Guidelines 05/2020 on consent under Regulation 2016/679, Adopted on 4 May 2020, section 38, available here.
 Pursuant to Article 9 of the GDPR, special categories include information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, natural person’s sex life or sexual orientation, and the processing of genetic/biometric data (used for identification).
 European Data Protection Board, Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, adopted on 8 October 2019, par. 22 et al. available here. The same reasoning can be found in the European Data Protection Board decisions in cases concerning Facebook and Instagram in the context of the one-stop-shop mechanism pursuant to Article 65(1)(a) of the GDPR.
 European Data Protection Board, Guidelines 8/2020 on the targeting of social media users, adopted on 13 April 2021, par. 56: “it would be difficult for controllers to justify using legitimate interests as a legal basis for intrusive profiling and tracking practices for marketing or advertising purposes, for example those that involve tracking individuals across multiple websites, locations, devices, services or data-brokering.”