CJEU Rules on Data Protection, Social Media, and Competition Law
Adoption of EU-U.S. Data Privacy Framework
EDPB Plenary
– CJEU Rules on Data Protection, Social Media, and Competition Law –
On 4th July, the CJEU ruled in the case of Meta Platforms and Others. As to the facts of the case, the German Federal Cartel Office prohibited Meta from combining the personal data it collects on different users across all its platforms, including Facebook, Instagram and WhatsApp, arguing that this constitutes an abuse of the company’s dominant position on the market for users in Germany. Meta decided to challenge the decision in German courts. Against this background, seven questions were referred to the CJEU, which the Court bundled into four sets of considerations, which concerned:
Whether a competition authority can find data processing practices in violation of the GDPR, even where there is an investigation of the same practices by a DPA.
Whether, if a user of a social media network visits, or enters information into, an app or website related to a sensitive category of data, the processing of data related to these by the social media network should be regarded as sensitive data. And whether, then the user uses functions on these apps which allow themselves to be identified, this data should be considered as having been manifestly made public according to 9(2)(e).
Whether Articles 6(1)(b) and (f) mean that processing of users’ data by a social media network, involving the collection and use of data from other services withing the same corporate group, or from third-party websites or apps, and ‘the linking of those data with the social network account of those users and the use of such data’ can be considered as necessary for the performance of a contract, or as within the scope of legitimate interest. And whether Articles 6(1)(c), (d) and (e) could also relate such data protecessing, where this processing is carried out to ‘respond to a legitimate request for certain data, to combat harmful behaviour and promote security, and to research for social good and promote safety, integrity and security’.
Whether, according to Articles 6(1)(a) and 9(2)(a), consent given by a user of a social media network can fulfil the conditions of 4(11) – especially the condition ‘freely given’ – when the operator holds a dominant market position.
In light of these considerations, the Court concluded:
A competition authority investigating the abuse of a dominant position can find an organisation’s practices in violation of the GDPR, where this ‘finding is necessary to establish the existence of such an abuse’. Where, however, there has already been a decision by a DPA on such practices, the competition authority cannot depart from the decision of the DPA. Where the competition authority has doubts regarding the decision, where the DPA is conducting a parallel investigation, or where there is no investigation in progress, the competition authority must consult with the DPA prior to beginning its own procedures.
When a user of a social media network visits apps or websites related to the categories of sensitive data, processing of personal data by the social media network related to this use constitutes processing of sensitive personal data when ‘that data processing allows information falling within one’ of the categories of sensitive data to be revealed.
Where a user of a social media network visits an app or website related to the categories of sensitive data, the user does not make data related to these visits manifestly public. Where, however, the user makes an explicit choice to make data public – e.g. by clicking on a share button with certain settings – these data are considered to have been made manifestly public.
Article 6(b) means that processing of personal data by a social media network, collected from other services in the same corporate network, or from third-party websites, can be regarded as necessary for the performance of a contract to which data subjects are party, provided ‘processing is objectively indispensable for a purpose that is integral to the contractual obligation intended for those users’.
Article 6(1)(f) means the processing discussed in pt. 4 can fall within the scope of legitimate interests provided ‘the operator has informed the users from whom the data have been collected of a legitimate interest that is pursued…that such processing is carried out only in so far as is strictly necessary…and that it is apparent from a balancing of the opposing interests…that the interests or fundamental freedoms and rights of…users do not override that legitimate interest’.
Article 6(1)(c) means that the processing discussed in pt. 4 can fall within the scope of the provision provided ‘it is actually necessary for compliance with a legal obligation to which the controller is subject…where that legal basis meets an objective of public interest and is proportionate to the legitimate aim pursued and where that processing is carried out only in so far as is strictly necessary’.
Articles 6(d) and (e) mean that the processing discussed in pt. 4 ‘cannot, in principle and subject to verification by the referring court, be regarded as necessary in order to protect the vital interests of the data subject or of another natural person, within the meaning of point (d), or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, within the meaning of point (e)’.
Articles 6(1)(a) and 9(2)(a) mean that, when a social media network operator holds a dominant position, this ‘does not, as such, preclude the users of such a network from being able validly to consent, within the meaning of Article 4(11)…to the processing of their personal data by that operator’. Dominance, however, is ‘an important factor in determining whether the consent was in fact validly and, in particular, freely given, which it is for that operator to prove’.
This is a complex and fascinating case, dealing with a large range of provisions and issues. It is also a case which looks likely to have significant implications for EU data protection law – for example concerning the concept of ‘freely given’ consent. We strongly advise all those interested in data protection law to read the judgment.