As Meta awoke one day from uneasy dreams it found itself transformed…

Posted on | by Oliver Jackson

It’s been a few days since the CJEU’s landmark 4th July decision in Meta Platforms v Bundeskartellamt (Case C-252/21). As readers of the blog will probably have seen elsewhere, this was no Independence Day victory for Meta. Instead, the CJEU Grand Chamber upheld the idiosyncratic blending of competition law and GDPR by the German competition regulator (the Federal Cartel Office, or FCO).

The full consequences of the judgment are not yet clear, but the most significant impact is likely to be on tech companies that monetise their users’ data from product A through targeted advertising on product B e.g. Meta collecting data from Instagram to target adverts on Facebook. This post outlines the headline points from the judgment and concludes with some quick thoughts on what Meta might mean in future for tech companies, users and regulators.

The German competition law proceedings

To recap: Meta operates Facebook, one of the largest online social networks in the world, along with Instagram, WhatsApp, Messenger, and a large number of other social media platforms. Meta’s operations are primarily financed by monetizing its users’ data through targeted advertising. That is, advertisers pay Meta to show their adverts to users who, based on the data profile that Meta has built up for them through their activities on Meta’s products, are thought to be good matches for that advert (this is a lucrative business: Meta’s revenue in 2022 was $116 billion, of which $113.6 billion came from advertising).

The FCO investigated Meta in Germany for breach of Art 102 TFEU (abuse of dominance). On 6 February 2019 it found that the way Meta processed its users’ data was in breach of the GDPR and so constituted an abuse of Meta’s dominant position on the market for online social networks. The GDPR breach was said to be Meta’s use of its users’ data from non-Facebook products (Instagram, Whatsapp, and the like), which was then linked to those users’ Facebook accounts in order to better target advertising at them on Facebook [29-30]. Meta challenged this decision in the German courts, who referred several questions to the CJEU.

The first question for the CJEU was whether a national competition regulator such as the FCO has jurisdiction to determine breaches of the GDPR. If so, then several further questions asked whether this aspect of Meta’s business model involved any such breaches [34-35].

The CJEU Grand Chamber judgment

Issue 1: Do competition law authorities have jurisdiction over GDPR breaches?

The CJEU concluded that a competition regulator may indeed find a breach of the GDPR, but only if that is necessary to establish an Art 102 TFEU abuse of dominance. Further, the competition regulator may only do so after cooperation with the supervisory data protection authorities (DP authorities), whose decision as to a GDPR breach is binding on the regulator [62-63].

The reasoning behind this conclusion is more nuanced than some reports have suggested:

  1. Arts 51, 56, 57 and 58 GDPR confer jurisdiction and powers on DP authorities to monitor breaches of the GDPR [37-41]. Different DP authorities across the EU are also required to cooperate with each other under Art 61 GDPR. However, that article is not addressed to competition regulators [41-42]. No other EU instruments provide any specific rules on cooperation between competition regulators and DP authorities. That is not a surprise, as these institutions fulfil different functions under EU law [43-44].
  2. Self-evidently, competition regulators are required to take decisions as to breaches of competition law. In doing so, they must consider all the circumstance of the case. GDPR compliance may be “vital clue”, depending on the case. Accordingly, it may be necessary for competition regulators to make findings on GDPR breaches [46-48]. Indeed, this may be particularly important where access to personal data and processing of that data has become “a significant parameter of competition” in the digital economy [50-51].
  3. That said, competition regulators may not replace DP authorities. Pursuant to the duty of sincere cooperation in Art 4(3) TFEU, they must co-operate with DP authorities and, where the DP authority has already investigated and made a finding on an alleged GDPR breach, they are bound by that finding (although they are of course free to draw their own conclusions as to whether there has been a competition law breach) [56].
  4. Where the DP authority has not investigated then the competition regulator must consult it anyway. The DP authority should respond in good time [57-59]. In this case, the FCO had consulted the German and Irish DP authorities before making its decision, and so had fulfilled its obligations [60].

With the jurisdictional issue out of the way, the CJEU turned to the questions of whether Meta’s linking of users’ data from non-Facebook products with their Facebook account was GDPR compliant.

Issue 2: Special category personal data

Meta collects data from users’ visits to websites or apps that may be related to Art 9(1) GDPR special category personal data (e.g. gay dating apps, political party website, or health-related websites). It then links that data with data from the user’s Facebook account and uses it as part of its advertising business model [71].

The Grand Chamber held that it was for the national courts to determine whether processing of data by a social network revealed a person’s special category personal data. This could occur because, for instance, the social network collected data that the person had registered or made an online order with such a website/app. In some circumstances, just visiting the website/app might suffice [68-72]. But if it did, then a social network processing such data, linking that data with the user’s social network account, and using it, all fell within scope of ‘processing of special category personal data’ in Art 9(1) GDPR and was prohibited (subject to any applicable Art 9(2) derogations) [73].

The only Art 9(2) derogation relied on was Art 9(2)(e) derogation (personal data made public by the data subject). The CJEU explained that this could not be engaged where a person simply visited a website/app [78-79], but might be engaged if the person interacted with the website/app (e.g. by logging in, placing an online order, or ‘Liking’ or ‘Sharing’ it) and had explicitly chosen beforehand to make their data “publicly accessible to an unlimited number of persons[85].

Issue 3: was the processing within scope of Arts 6(1)(b) to 6(1)(f)?

The German court referred to the CJEU, wholesale, five questions about whether Meta could rely on any of the five lawful bases for processing at Arts 6(1)(b) to 6(1)(f) [86-92]. While emphasizing that these were issues for the domestic court [96], the CJEU suggested (addressing the Art 6(1) bases out of their usual order) that:

  1. Art 6(1)(b) (processing necessary for performance of a contract) could only be met if the processing was “objectively indispensable” for the “main subject matter of the contract[98, 125]. It was not satisfied where there was no contractual obligation for users to subscribe to all of Meta’s products in order to use Facebook. The products were independent. Targeted content was also not necessary for the user to use an online social network [99-104].
  2. Art 6(1)(f) (processing necessary for legitimate interests) could only be satisfied if the users had been informed of the legitimate interest, the processing was strictly necessary, and the balance of competing interests lay in favour of the processing [106]. None of these conditions were met [107-124, 126]. In particular, Meta’s interests in financing its operations through targeted advertising was outweighed by the privacy interests of the user, especially children, and especially where the processing was so extensive [112-118].
  3. Art 6(1)(c) (processing necessary for compliance with legal obligation) would likely only apply, in this context, where Meta was under “a legal obligation to collect and store personal data” in order to be able to respond to requests from national authorities. Given the lack of evidence before the CJEU, this issue was for the national court to address [131-132].
  4. Similarly, Art 6(1)(e) (processing necessary for public interest) was also for the national court, but would require Meta to be “entrusted with a task carried out in the public interest”, which seemed “unlikely” [133-134].
  5. Art 6(1)(d) (processing necessary for vital interests) covered interests such as humanitarian purposes, such as monitoring epidemics and natural disasters, and not be relied on by Meta in these proceedings [135-137].

Issue 4: Consent

Finally, the Grand Chamber addressed the question of consent. The question in a nutshell was whether consent could be freely given, for the purposes of Arts 6(1)(a) and 9(2)(a) GDPR, where Meta held a dominant position on the market for online social networks [140].

The CJEU explained that the fact that an operator held a dominant position did not prevent a user being able to validly consent to the processing of their data (whether for targeted advertising or otherwise) [147]. But the dominant position was still relevant – it “may create a clear imbalance” between the data subject and the controller [149]. Accordingly, a user had to be able to refuse their consent from a particular data processing operating “without being obliged to refrain entirely from using the service offered by” the social network operator [150]. In particular, a user had to be able to withhold their consent from Meta processing their data collected from non-Facebook products [151].

Comment

The importance of this judgment can barely be overstated. It contains a wealth of material for academics, practitioners and businesses to pore over it. Some fuller thoughts may be provided on this blog in future, but for now, I leave you with 6 quick points:

  1. First, the FCO’s imaginative interpretation of Art 102 TFEU lives on. It would be surprising if this did not lead to further EU abuse of dominance decisions against large tech companies on the basis of breaches of GDPR (although see point 6 below). But the same could also be true in the UK: even after Brexit, the chapter 1 and chapter 2 prohibitions in the Competition Act 1998 remain largely identical to Arts 101/102 TFEU, the UKGDPR remains largely identical to the GDPR, and domestic courts may still “have regard” to post-IP completion day CJEU judgments (such as Meta) under s.6(2) of the European Union (Withdrawal) Act 2018. The UK Competition and Markets Authority will surely be paying close attention.
  2. Second, the CJEU’s reliance on the duty of sincere co-operation in Art 4(3) TFEU to establish an obligation of co-operation between competition regulators and DP authorities is novel and far-reaching. It is far from clear how an investigation by a DP authority into an alleged GDPR breach will interact with competition regulator investigations. For instance, could a DP authority choose not to investigate an alleged GDPR breach on the basis that the competition regulator already has a competition law investigation up and running?
  3. Third, and as a practical point, businesses should now be doubly cautious of what documents they provide to DP authorities, considering that these may later be shared with competition regulators. Further, given the CJEU’s reasoning on Art 4(3) TFEU, it seems that the same logic applies in the reverse situation – there doesn’t seem to be a reason why a DP authority, investigating an alleged GDPR breach, shouldn’t ask a competition regulator to share information with it.
  4. Fourth, there may still be a way for tech companies to continue to process some data from websites relating to special category personal data (e.g. gay dating websites etc) as part of targeted advertising. Meta [85] suggests that a user may consent to such processing if they are ‘interacting’ with the website in question (e.g. logging in or clicking ‘Like’ or ‘Share’, as opposed to just visiting) and have “explicitly made the choice beforehand” with “full knowledge of the facts”. Such an informed choice could be made by consenting to a sufficiently detailed privacy policy.
  5. Fifth, on the facts, Meta was based on Facebook’s privacy policies and terms and conditions as they were in early 2019, at the time of the FCO’s decision. As the CJEU sets out at [32]-[33], matters have moved on since then. Meta has introduced new terms and conditions, and an “Off-Facebook Activity” feature which allows users to disconnect data collected by Meta from non-Facebook activities from the data stored on Facebook account. No doubt further changes to Meta’s policies will be made as a result of this judgment. Meta could sensibly argue that the CJEU decision is of limited relevance to its current business model.
  6. Sixth, the decision may be overtaken in the EU by the introduction of the Digital Markets Act (DMA). On Monday 3 July, just one day before Meta was handed down by the CJEU, the European Commission published a press release naming the seven large tech companies that met the thresholds for designation as a gatekeeper under the DMA. One of them is Meta. If designated, then the DMA imposes various onerous obligations designed to ensure fair competition in the online marketplace. These will no doubt be discussed in a future blog post. Watch this space!

Oliver Jackson