Companies holding a dominant position on their (digital) markets may be sanctioned by (national) competition authorities for infringing… the General Data Protection Regulation ("GDPR"). A dominant position may also imply additional hurdles for these companies when it comes to demonstrating that their data collection and processing practices rely on valid legal grounds under Article 6 GDPR.
Meta Platforms Ireland is well known for its various online social media platforms such as Facebook, Instagram, WhatsApp, Oculus and previously also Masquerade. The social media platform Facebook is provided free of charge to customers and is financed by “targeted” online advertising to users. Such targeted advertising relies on a detailed user profile based on personal information such as consumer behaviour, interests and purchasing power. The information is collected not only on the various platforms operated by the Meta group, but also on third-party webpages and apps (“off-Facebook data”). This processing activity relies on the acceptance by the customer of the Facebook general terms of service, which include a reference to cookie and privacy policies. In other words, to be able to use Facebook, users have no other choice than to accept the general terms of service and the processing of the user’s personal data by Meta for advertising purposes.
In 2019, the German Federal Cartel Office (“GFCO”) considered that Meta’s practices constituted an abuse of its dominant position on the market for online social networks (“GFCO Decision”). It therefore prohibited Meta from making the use of Facebook subject to the acceptance, through the general terms of service, of the processing of the user’s personal data from other Meta platforms and third-party webpages.
The proceedings for the annulment of the GFCO Decision before the Regional Court of Düsseldorf eventually reached the Court of Justice of the European Union (“CJEU”) and included several preliminary questions encompassing both competition law and data protection law aspects.
Allocation of roles between competition and data protection authorities
The case had been closely watched by those interested in the interaction between competition and data protection laws. Indeed, interestingly, the competition law infringement in the GFCO Decision relied directly on an infringement of the GDPR (more precisely of Articles 6(1) and 9(2)). As a result of its dominant position, Meta’s general terms constituted an abuse, since the processing of the off-Facebook data was not consistent with the values underlying the GDPR.
However, the CJEU also ruled that national competition authorities are bound by the principle of sincere cooperation under Article 4(3) TEU and therefore cannot deviate from a decision of a national supervisory authority. Hence, a national competition authority is required to consult and cooperate with the national supervisory authority when, in the exercise of its powers, it has to evaluate whether certain conduct is in breach of the GDPR. This consultation or collaboration obligation is not foreseen in the GDPR, which only contains a cooperation mechanism for national supervisory authorities.
Additional insights provided on some key GDPR concepts
Furthermore, the CJEU conducted a detailed analysis of the possible application of the different legal grounds of Article 6 GDPR for the lawful processing of data as well as Article 9 GDPR regarding the processing of sensitive categories of personal data.
The CJEU notably ruled that the collection of on-Facebook and off-Facebook data and the linking of these data with the social network account of users could only be considered as “necessary for the performance of a contract” (Article 6(1)(b) GDPR) if such processing is objectively indispensable for a purpose that is integral to the contractual obligation (i.e. indispensable for the achievement of the main purpose of the contract). In this case, the CJEU rejected Meta’s justifications that its data collection and processing practices were necessary for guaranteeing users’ personalised content and the consistent and seamless use of the Meta group’s own services.
The judgment also made it clear that the fact that a platform holds a dominant position is a relevant factor to take into account when assessing whether consent has been “freely given” (in the sense of Article 6(1)(a) and Article 4(11) GDPR) by users of the platform – indeed, such dominant position “is liable to affect the freedom of choice of that user, who might be unable to refuse or withdraw consent without detriment” (para. 148).
Eubelius will be happy to assist you if you have any questions relating to your processing activities and your GDPR compliance.