CJEU - C-252/21 - Meta Platforms and Others v Bundeskartellamt

From GDPRhub
CJEU - C-251/21 Meta Platforms and Others v Bundeskartellamt
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 6 GDPR
Article 9 GDPR
Article 4(11) GDPR
Decided: 04.07.2023
Parties: Meta Platforms
Case Number/Name: C-251/21 Meta Platforms and Others v Bundeskartellamt
European Case Law Identifier: ECLI:EU:C:2023:537
Reference from: OLG Düsseldorf (Germany)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: at

The CJEU decided in the case concerning Meta that competition authorities can rule on the compliance or non-compliance of the undertaking with the GDPR in the context of a decision on an abuse of a dominant position. CJEU ruled on all six legal basis to process data, further clarifying the interpretation of Article 6(1) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

Meta Platforms Ireland (Meta) offers the social network service Facebook within the EU. Other online social network services - including Instagram and WhatsApp - are offered by other undertakings belonging to the Meta group.

The business model regarding Facebook essentially consists of personalised advertisement based on the production of detailed profiles of Facebook-users and users of the other online services offered by the Meta group (the users). The users provide data directly to Meta when they sign up to Facebook. In addition, Meta collects data of the users from the social network services provided by the Meta group as well as third-party websites and apps (“off-Facebook data”) and links such data to the users’ accounts. The aggregate view of the data allows Meta to draw detailed conclusions about those users’ preferences and interests.

Meta processes such data on the basis of a contract it enters into with a user when the user signs up to Facebook and accepts the general terms of use. In order to use Facebook, the user must accept the general terms.

The Federal Cartel Office (Bundeskartellamt) brought proceedings against Meta Platforms, Meta Platforms Ireland and Facebook Deutschland (the companies).

By its decision, the Bundeskartellamt prohibited those companies from 1) making – in the general terms of use – the use of Facebook subject to the processing the user’s ‘off-Facebook data’ and 2) from processing the data without the user’s consent, with regard to private users residing in Germany. The Bundeskartellamt viewed that the use of such general terms constitute an abuse of Meta’s dominant position on the market for online social networks for private users in Germany, in particular, since the processing of the 'off-Facebook data' is not consistent with the underlying values of the GDPR and cannot be justified in the light of Article 6(1) and Article 9(2) GDPR.

It followed, that the companies brought an action against the decision before the Higher Regional Court in Düsseldorf, Germany (the Court). The Court referred to the CJEU for a preliminary ruling.

Holding[edit | edit source]

Firstly, it was stated by the CJEU that in the context of the examination of an abuse of a dominant position by an undertaking on a particular market, it may be necessary for the national competition authority also to examine whether that undertaking’s practices comply with rules other than those relating to competition law, such as the GDPR. It followed, that the CJEU held that in accordance with Article 51 GDPR and Article 4(3) TEU a national competition authority may find that an undertaking’s general terms of use and the implementation thereof are not consistent with the GDPR, where that finding is necessary to establish the existence of such an abuse of a dominant position.

If the competition authority examines whether undertaking’s conduct is consistent with the provisions of the GDPR and that conduct or similar conduct has already been the subject of a decision by the competent supervisory authority or the Court, the national competition authority cannot depart from it. However, it can draw its own conclusions from the point of view of the application of competition law. In the absence of investigation by the competent supervisory authority, the competition authority must consult and seek the cooperation of competent supervisory authorities. All authorities are then bound to observe their respective powers and competences, in such a way as to ensure that the obligations arising from the GDPR and the objectives of that regulation are complied with while their effectiveness is safeguarded.

Secondly, the CJEU considered essentially whether the collection - by means of integrated interfaces, cookies or similar storage techonologies - of data of the users visits to websites and apps to which one ore more of the categories referred to in Article 9(1) GDPR relate, and collection of information that the users may enter into integrated interfaces, the linking of all those data with the individual user's account and the use of those data by the operator must be regarded as processing special categories of personal data. The CJEU held that such practices must be regarded as processing of special categories of personal data within the meaning of Article 9(1) GDPR. Processing of special categories of personal data’ is in principle prohibited, subject to the derogations provided for in Article 9(2) GDPR.

Furthermore, the CJEU held that where the user of an online social network visits websites or apps to which one or more of the categories set out in Article 9(1) GDPR relate, the user does not 'manifestly make public', within the meaning of Article 9(2)(e) GDPR, the data relating to those visits collected by the operator of that online social network via cookies or similar storage technologies. On the other hand, in the circumstance where the user has explicitly made the choice beforehand to make the data relating to them publicly accessible to an unlimited number of persons and than enters information into such websites or apps or where the user clicks or taps on buttons integrated into them that user can be considered to 'manifestly make public' their data.

Thirdly, the CJEU examined whether Meta's processing operations are covered by the justifications set out in the GDPR (Article 6(1) (b) to (f) GDPR) allowing the processing of data carried out without the data subject’s consent to be made lawful. In that context, the CJEU found that the need for the performance of the contract to which the user is party may justify the practice at issue under Article 6(1)(b) GDPR only on the condition that the processing is objectively indispensable. This is the case if the main subject matter of the contract cannot be achieved if the processing would not occur. The CJEU expressed doubts as to whether personalised content or the consistent and seamless use of the Meta group’s own services fulfill the criteria of Article 6(1)(b) GDPR which is however subject to verification by the national court.

According to the CJEU, in the absence of the data subject’s consent, the personalised advertising by which Facebook finances its activity, cannot justify the processing of the data at issue as a 'legitimate interest' pursued by Meta pursuant to Article 6(1)(f) GDPR.

Lastly, the CJEU noted that the fact that Article 6(1)(a) and Article 9(2)(a) GDPR must be interpreted as meaning that the operator of an online social network, as controller, holds a dominant position on the social network market does not, as such, prevent its users from validly giving their consent within the meaning of Article 4(11) GDPR to the processing of their personal data by that operator. However, since that position is liable to affect the freedom of choice of those users and create a clear imbalance between them and the data controller, the CJEU highlighted that this is an important factor in determining whether the consent was in fact validly and, in particular, freely given. This is for the operator to prove.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!