Action by the German Federal Cartel Office

Meta collects user data, including off-Facebook activities and data from other online services like Instagram and WhatsApp. This information is used to create personalised advertising messages for Facebook users. The German Federal Cartel Office (Cartel Office) found that this data processing violated the GDPR and accordingly constituted an abuse of Meta's dominant position in the German social network market.

Following criticism that the Cartel Office should not combine decisions regarding data protection with competition, the Higher Regional Court in Düsseldorf referred questions to the ECJ regarding whether national competition authorities, like the Cartel Office, can review data processing operations for compliance with the GDPR.

Referral and ruling by the ECJ

The ECJ ruled that national competition authorities can assess whether a data processing operation complies with the GDPR in the context of examining an abuse of dominant position. However, the authorities cannot replace the supervisory authorities established by the GDPR. Their assessment of GDPR compliance serves only to establish the abuse of dominant position and impose measures based on competition law.

Key points addressed by the Court:

• To ensure consistent application of the GDPR, national competition authorities are required to consult and cooperate sincerely with the supervisory authorities responsible for GDPR enforcement. If a supervisory authority or the Court has already made a decision regarding an undertaking's conduct under the GDPR, the national competition authority must adhere to it, while still drawing its own conclusions based on competition law.
• Additionally, the Court noted that Meta's data processing may involve special categories of data, potentially revealing sensitive information like race, political opinions, religion, or sexual orientation. It is for the national court to determine whether the data collected can reveal such information and is in compliance with the GDPR. The Court also clarified that mere visits to websites or apps that may reveal sensitive data do not mean that the user has manifestly made the data public, as required by the GDPR. Explicit choices to make data publicly accessible are necessary.
• The ECJ examined whether justifications in the GDPR allow data processing without the data subject's consent. It expressed doubts about whether personalised content or seamless use of Meta group services meet the criteria for justifying processing without consent. Additionally, the ECJ stated that personalised advertising, used by Facebook to finance its activities, cannot be considered a legitimate interest justifying data processing without the data subject's consent.
• While holding a dominant position on the social network market does not prevent users from giving valid consent under the GDPR, the ECJ highlighted that the dominant position may affect users' freedom of choice and create an imbalance between them and the data controller. As such, Meta’s position is an importance factor in determining whether consent was freely given. The burden of proving the validity of such consent lies with the operator of the online social network.

The ECJ's judgment in Meta’s case encourages competition authorities to consider data protection in their assessments, but emphasises the need for cooperation between national competition authorities and supervisory authorities to ensure consistent application of the GDPR. The judgment clarifies the requirements for consent and justifications for data processing, particularly in the context of a dominant market position. Following this preliminary ruling, the case continues in front of the national court.

The ECJ’s judgment Case C-252/21 can be found here, and the press release here.