On July 4, 2023, the Court of Justice of the European Union (“CJEU”) issued a landmark decision in Case C-252/21 regarding the compliance of a well-known social network with the GDPR (Regulation EU 2016/679) and competition law in collecting personal data and the related consent for the provision of customized advertising services. In this decision, the CJEU also confirmed that a national competition authority may assess compliance with the GDPR as part of an investigation of abuse of dominant position.
The main proceedings
The proceedings originated from seven preliminary questions raised by the Düsseldorf Higher Regional Court (Oberlandesgericht Düsseldorf) during an action brought by the social media provider against an infringement decision issued by the German Federal Cartel Office (the Bundeskartellamt or “FCO”) for breach of national provisions on the protection of competition.
According to the FCO, the lack of proper consent and the fact that the processing of personal data collected outside the platform (“off-platform data”) was based entirely on the general terms in the platform’s contract constituted abuse of dominant position, because that processing was not compliant with the GDPR. As a result, the FCO banned the use of the social media platform by users residing in Germany unless the social media provider obtained their consent for the processing of off-platform data.
In addition to challenging the FCO’s decision, the platform introduced new general terms stating that rather than paying for the service, a user agrees to be shown customized advertising, and it introduced a tool that allows users to opt out of off-platform data processing.
CJEU findings on the interplay between competition and data protection enforcement: An antitrust authority can assess compliance with the GDPR
According to the CJEU, neither the GDPR nor any other EU law expressly regulates cooperation between a national competition authority and the relevant data protection supervisory authority. In the absence of an express prohibition, the CJEU stated that a competition authority may investigate whether an undertaking’s conduct is compliant with rules other than those relating to competition law, to the extent that noncompliance may amount to abuse of dominant position.
However, competition authorities neither monitor nor enforce application of the GDPR, and when a national competition authority discovers infringement of that regulation while investigating abuse of dominant position, its findings do not replace those of the relevant supervisory authority.
In addition, in such cases a competition authority shall cooperate at all times with the relevant supervisory authority to ensure that the GDPR is applied consistently overall. This means that a national competition authority cannot depart from a previous decision of the relevant data protection supervisory authority concerning the general terms and condition for processing of personal data or similar general terms.
CJEU findings on interpretation of the GDPR: Profiling activities are not necessary to execute a contract, nor can they be considered a legitimate interest
Firstly, the CJEU clarified that personal data drawn from the online activity of a social network user may include certain categories of personal data, as long as the online activity (linked to an account on the social network) include visits to third-party websites or apps to which particular categories of personal data relate. According to the CJEU, the data may be “manifestly made public by the data subject” in the sense of Article 9 GDPR, as long as the user (referenced in the data in question) personally enters information into such websites/apps or clicks or taps buttons integrated into those websites/apps, such as like or share buttons. Users must also have explicitly made an informed choice beforehand, for example by toggling specific individual settings to make the data accessible to the general public.
To this end, when processing is based on a user’s consent, the user is free to refuse to give their consent to particular data processing operations, as long as these operations are not necessary for execution of the contract. The user then is not obligated to refrain entirely from using the service offered by the online social network operator. This means that—for an appropriate fee, if necessary—such a user shall be offered an equivalent alternative that does not involve such data processing operations.
The fact that the operator of an online social network holds a dominant position on the market for online social networks does not, in and of itself, preclude the users of that network from validly consenting to the processing of their personal data by that operator. Nevertheless, this is an important factor in determining whether consent was valid and—even more crucially—freely given; it is up to the operator to prove that.
Secondly, the CJEU confirmed the principle according to which the legal bases (other than the data subject’s consent) must be interpreted restrictively. Based on this general principle, the CJEU argued that in the context of social network profiling, activities to display customized advertising can be considered neither (i) necessary to execute the contract with the user nor (ii) necessary to pursue a legitimate interest of the controller:
- Necessity to execute the contract with the user: According to the CJEU, there are workable, less intrusive alternatives among the services offered by the social network operator and governed by the contract entered into with the user. Indeed, the social network service could be provided via an equivalent alternative that does not involve personalization. Nor can this legal basis be relied upon to ensure the consistent and seamless use of the services provided by the group. Indeed, the user has no obligation to subscribe to the various services to create an account on a social network platform.
- Legitimate interest: In the case of personalized advertising specifically, the CJEU holds that a user’s interests and fundamental rights override the social network’s interests in financing its activity by means of personalized advertising. Indeed, according to the CJEU, although the social network’s service is free of charge, users cannot reasonably expect that their data will be processed for personalized advertising purposes. This is especially true considering that the processing is particularly extensive, as it relates to potentially unlimited data, which may give rise to the feeling that a user’s private life is being monitored continuously. This reasoning is also valid with respect to other purposes allegedly pursued by the social media operator as legitimate interests, such as ensuring the security of the social network and product improvement, since these purposes could be pursued through less intrusive means.
Finally, the CJEU dismissed the argument that processing of personal data by the operator of a social network is necessary to comply with a legal obligation, to perform a task carried out in the public interest, or to protect an interest that is essential to the life of the user. Indeed, as the CJEU noted, “[G]iven the type of activity and the essentially economic and commercial nature thereof, it seems unlikely that a private operator was entrusted with such a task.” In any case, it will be up to the referring court to determine whether the large scale of the data processing can be justified as necessary to pursue the above purposes. The CJEU also rejected in principle the idea that a social network operator may rely on the protection of an interest that is essential to the life of a user or of another person in view of the essentially economic and commercial nature of the service.
This decision raises several issues that both business and public authorities must consider carefully.
Firstly, it raises questions as to how, in practice, national competition authorities shall cooperate with data protection supervisory authorities when assessing the lawfulness of conduct in the provision of digital platform services. The national case law showed more than once that competition authorities tend to expand the areas under their purview to sanction conduct related to processing data as competition or consumer law infringement. In this case, however, it is crucial that the utmost caution be adopted to ensure that companies are not sanctioned for infringement of competition law based on inconsistent assessment of compliance with privacy rules, or any other rules that fall under the remit of a different authority. Additionally, as soon as possible local competition and data protection authorities should implement cooperation protocols to be followed when their respective actions may have impact on the enforcement of both data protection and competition laws and regulations.
Secondly, and more importantly, this decision presents the opportunity to uphold a very restrictive interpretation of the GDPR that could run counter to the reasons behind the very adoption of the GDPR. Indeed, the CJEU’s arguments (while substantiated from a factual perspective) seem to rely on the assumption that legal bases other than data subjects’ consent are exceptions and, as such, should be interpreted narrowly. On the contrary, the GDPR superseded this relationship of general rule–exception between consent and the other legal bases, as provided under Directive 95/46/EC, to resolve many of the issues that a consent-centric system had raised over the years.