Companies holding a dominant position on their (digital) markets may be sanctioned by (national) competition authorities for infringing… the General Data Protection Regulation ("GDPR"). A dominant position may also imply additional hurdles for these companies when it comes to demonstrating that their data collection and processing practices rely on valid legal grounds under Article 6 GDPR.
Meta Platforms Ireland is well known for its various online social media platforms such as Facebook, Instagram, WhatsApp, Oculus and previously also Masquerade. The social media platform Facebook is provided free of charge to customers and is financed by “targeted” online advertising to users. Such targeted advertising relies on a detailed user profile based on personal information such as consumer behaviour, interests and purchasing power. The information is collected not only on the various platforms operated by the Meta group, but also on third-party webpages and apps (“off-Facebook data”). This processing activity relies on the acceptance by the customer of the Facebook general terms of service, which include a reference to cookie and privacy policies. In other words, to be able to use Facebook, users have no other choice than to accept the general terms of service and the processing of the user’s personal data by Meta for advertising purposes.
In 2019, the German Federal Cartel Office (“GFCO”) considered that Meta’s practices constituted an abuse of its dominant position on the market for online social networks (“GFCO Decision”). It therefore prohibited Meta from making the use of Facebook subject to the acceptance, through the general terms of service, of the processing of the user’s personal data from other Meta platforms and third-party webpages.
The proceedings for the annulment of the GFCO Decision before the Regional Court of Düsseldorf eventually reached the Court of Justice of the European Union (“CJEU”) and included several preliminary questions encompassing both competition law and data protection law aspects.
Allocation of roles between competition and data protection authorities
The case had been closely watched by those interested in the interaction between competition and data protection laws. Indeed, interestingly, the competition law infringement in the GFCO Decision relied directly on an infringement of the GDPR (more precisely of Articles 6(1) and 9(2)). As a result of its dominant position, Meta’s general terms constituted an abuse, since the processing of the off-Facebook data was not consistent with the values underlying the GDPR.
Acknowledging the importance of data as a decisive commercial asset (and hence as a parameter of competition) in the digital economy, the CJEU confirmed that a national competition authority – even if it is not a national supervisory authority within the meaning of Article 51 et seq. GDPR – can find an undertaking’s (implementation of the) general terms of use relating to the processing of personal data to be inconsistent with the GDPR, where such finding is necessary to establish the existence of an abuse of a dominant position under Article 102 TFEU. Indeed, according to the CJEU’s Grand Chamber, “the compliance or non-compliance [with] the GDPR may, depending on the circumstances, be a vital clue among the relevant circumstances of the case in order to establish whether that conduct entails resorting to methods governing normal competition” (para. 47).
However, the CJEU also ruled that national competition authorities are bound by the principle of sincere cooperation under Article 4(3) TEU and therefore cannot deviate from a decision of a national supervisory authority. Hence, a national competition authority is required to consult and cooperate with the national supervisory authority when, in the exercise of its powers, it has to evaluate whether certain conduct is in breach of the GDPR. This consultation or collaboration obligation is not foreseen in the GDPR, which only contains a cooperation mechanism for national supervisory authorities.
Additional insights provided on some key GDPR concepts
Furthermore, the CJEU conducted a detailed analysis of the possible application of the different legal grounds of Article 6 GDPR for the lawful processing of data as well as Article 9 GDPR regarding the processing of sensitive categories of personal data.
The CJEU notably ruled that the collection of on-Facebook and off-Facebook data and the linking of these data with the social network account of users could only be considered as “necessary for the performance of a contract” (Article 6(1)(b) GDPR) if such processing is objectively indispensable for a purpose that is integral to the contractual obligation (i.e. indispensable for the achievement of the main purpose of the contract). In this case, the CJEU rejected Meta’s justifications that its data collection and processing practices were necessary for guaranteeing users’ personalised content and the consistent and seamless use of the Meta group’s own services.
The judgment also made it clear that the fact that a platform holds a dominant position is a relevant factor to take into account when assessing whether consent has been “freely given” (in the sense of Article 6(1)(a) and Article 4(11) GDPR) by users of the platform – indeed, such dominant position “is liable to affect the freedom of choice of that user, who might be unable to refuse or withdraw consent without detriment” (para. 148).
Eubelius will be happy to assist you if you have any questions relating to your processing activities and your GDPR compliance.