The issues raised stem from the practice of collecting data from other group services, as well as from third-party websites and apps, via integrated interfaces or via cookies placed on the user’s computer or mobile device, linking that with the user’s Facebook account and then using it.
To collect and process user data, Meta Platforms relies on the contract for the use of the services entered into with its users when they click on the ‘sign-up’ button, thereby accepting Facebook’s terms of service. Acceptance of those terms of service is an essential requirement for using the Facebook social network (‘the practice at issue’).
Processing data prohibition
The request for a preliminary ruling was made by the Oberlandesgericht Düsseldorf (Higher Regional Court, Düsseldorf, Germany) in proceedings between companies in the Meta group and the Bundeskartellamt – the Federal Cartel Office (FCO) – concerning the decision by which the FCO prohibited the applicant in the main proceedings from processing data as provided for in the terms of service of its Facebook social network and from implementing those terms of service, and imposed measures to stop it from doing so.
The FCO based its decision, among other things, on the fact that, under the relevant German law against restrictions on competition, the processing in question constituted an abuse of the company’s dominant position in the social-media market for private users in Germany. Meta brought an action against the decision at issue, which resulted in the request for a preliminary ruling.
As to the competence of the FCO, the advocate general observed that, subject to verification by the referring court, it appeared that the FCO, in the decision at issue, did not in fact penalise a breach of the GDPR by Meta, but proceeded, for the sole purpose of applying competition rules, to review an alleged abuse of its dominant position while taking account, among other things, of that undertaking’s non-compliance with the provisions of the GDPR.
He accordingly considered that the question as to a competition authority’s ability to decide, as the main issue, on a breach of the GDPR, and to issue an order to end that breach within the meaning of the GDPR, was irrelevant.
Compatibility of conduct
Although a competition authority is not competent to establish a breach of the GDPR, he considered that that regulation did not, in principle, preclude authorities other than the supervisory authorities, when exercising their own powers, from being able to take account, as an incidental question, of the compatibility of conduct with the provisions of the GDPR.
He considered that especially the case where a competition authority exercises the powers conferred on it by article 102 TFEU and by the first paragraph of article 5 of Regulation (EC) No 1/2003, or by any other equivalent national provision.
In support of that view, he observed that, in exercising its powers, a competition authority must assess, among other things, whether the conduct in question entails resorting to methods other than those prevailing under merit-based competition, considering the legal and economic context in which that conduct takes place (C-413/14 P Intel v Commission, at paragraph 136).
In that respect, he considered that the compliance or non-compliance of that conduct with the provisions of the GDPR – not taken in isolation, but considering all the circumstances of the case – may be a vital clue as to whether that conduct entails resorting to methods prevailing under merit-based competition, it being stated that the lawful or unlawful nature of conduct under article 102 is not apparent from its compliance or lack of compliance with the GDPR or other legal rules.
As to what obligations a competition authority has in the context of the application of the principle of sincere cooperation enshrined in article 4(3) TFEU, he observed that the investigation, albeit incidental, by a competition authority of an undertaking’s conduct in the light of the GDPR carries the risk of differing interpretations of that regulation by the competition authority and the supervisory authorities, which could in principle undermine the uniform interpretation of the GDPR.
Even without a decision by the competent supervisory authority, he considered it is still the competition authority’s duty to inform and cooperate with the competent supervisory authority where that authority has begun an investigation of the same practice or has indicated its intention to do so, and possibly to await the outcome of that authority’s investigation before commencing its own assessment, insofar as that is appropriate and is without prejudice to the competition authority abiding by a reasonable investigation period, and the rights of defence of the data subjects.
As to whether article 9(1) of the GDPR must be interpreted as meaning that the practice at issue, when it concerns visits to third-party websites and apps, involves processing the types of sensitive personal data mentioned, which is prohibited, and if so, whether article 9(2)(e) of that regulation must be interpreted as meaning that a user manifestly makes public (within the meaning of that provision) the data revealed by visiting those websites and apps, or entered into those websites or apps, or resulting from clicking on buttons integrated into those websites or apps, he observed that the practice at issue entails the processing of personal data, which is, in principle, liable to fall within the scope of that provision and to be prohibited where the data processed ‘reveal’ one of the sensitive situations referred to therein.
He considered it necessary, therefore, to establish whether and to what extent visiting websites and apps or entering data into them may be ‘indicative’ of one of the sensitive situations listed in the provision in question. In that context, he doubted whether it is relevant (or always possible) to distinguish between the data subject merely being interested in certain information and the data subject belonging to one of the categories covered by the provision in question.
Although the parties to the main proceedings have opposing views in that regard, he considered that the answer to that question must be sought on a case-by-case basis and regarding each of the activities comprising the practice at issue.
However, he noted that it should be clarified that the existence of categorisation within the meaning of that provision is independent of whether that categorisation is accurate or correct (see EDPB Guidelines, paragraph 125).
What counts is the possibility that such categorisation could create a significant risk to the fundamental rights and freedoms of the data subject, as stated in recital 51 of the GDPR, regardless of whether that possibility materialises.
Further, the aim of the provision in question is, in essence, objectively to prevent significant risks to the fundamental rights and freedoms of data subjects arising from the processing of sensitive personal data, irrespective of any subjective element, such as the controller’s intention.
Manifestly made public
With regard to the inclusion in the wording of article 9(2)(e) of the GDPR of the adverb ‘manifestly’, and the fact that the provision constitutes an exemption to the prohibition on processing sensitive personal data, he observed that it requires a particularly stringent application of that exemption, on account of the significant risks to the fundamental rights and freedoms of data subjects. For that exemption to apply, the user must, in his opinion, be fully aware that, by an explicit act, he or she is making personal data public.
He found that, in the case under consideration, conduct consisting in visiting websites and apps, entering data into those websites and apps, and clicking on buttons integrated into them cannot in principle be regarded in the same way as conduct that manifestly makes public the user’s sensitive personal data within the meaning of article 9(2)(e) of the GDPR.
Further, in relation to the relevance of any consent given by the user within the meaning of article 5(3) of Directive 2002/58, so that personal data may be collected by cookies or similar technologies, as described by the referring court, he did not consider such consent, in view of its specific purpose, to be sufficient to justify the processing of sensitive personal data collected by such methods.
Indeed, such consent, which is necessary to install the technical means to capture certain user activities, does not involve the processing of sensitive personal data and cannot be regarded as a wish to make such data manifestly public within the meaning of article 9(2)(e) of the GDPR.
Necessity and legitimate interest
As to the question whether an undertaking, such as Facebook Ireland, which operates the practice at issue, justifies collecting data for these purposes from other group services and third-party websites and apps via integrated interfaces (such as Facebook Business Tools) or via cookies or similar storage technologies placed on the internet user’s computer or mobile device, linking those data with the user’s Facebook account and using them on the ground of necessity for the performance of the contract under article 6(1)(b) of the GDPR or on the ground of the pursuit of legitimate interests under article 6(1)(f) of the GDPR, he found that the GDPR must be interpreted as meaning that the practice at issue, or some of the activities that comprise it, may be covered by the exemptions laid down in those provisions, as long as each data-processing method examined fulfils the conditions provided for by the justification specifically put forward by the controller, and that therefore:
- The processing is objectively necessary for the provision of the services relating to the Facebook account,
- The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, and does not have a disproportionate effect on the fundamental rights and freedoms of the data subject,
- The processing is necessary to respond to a legitimate request for certain data, to combat harmful behaviour and promote security, to conduct research in the public interest, and to promote safety, integrity, and security.
Consent and dominant undertakings
As to whether articles 6(1)(a) and 9(2)(a) of the GDPR are to be interpreted as meaning that consent within the meaning of article 4(11) of that regulation may be given effectively and freely to an undertaking having a dominant position in the national market for online social networks for private users, he considered that any dominant position on the market held by a personal-data controller operating a social network is a factor when assessing whether users of that network have given their consent freely.
The market power of the controller could lead to a clear imbalance, such as where the provision of a service is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. Freedom of consent does not arise if the data subject has no genuine or free choice, or is unable to refuse or withdraw consent without detriment.
However, it should be clarified that, for such a market power to be relevant from the point of view of enforcing the GDPR, it need not necessarily be regarded as a dominant position within the meaning of article 102 TFEU. Besides, that circumstance alone cannot, in principle, render the consent invalid.
He accordingly found that the validity of consent should be examined on a case-by-case basis, in the light of the other factors mentioned, considering all the circumstances of the case, and the controller’s responsibility to demonstrate that the data subject has given his or her consent to the processing of personal data relating to him or her.
Look it up
Read and print a PDF of this article here.