However, it must take into account any decision or investigation by the competent supervisory authority under that Regulation
Meta Platforms is the owner of the online social network ‘Facebook’. Users of this social network must accept Facebook’s terms of service, which refer to Meta Platforms’ data and cookies policies. Under those terms, Meta Platforms collects data from other Meta Platforms group services, such as Instagram and WhatsApp, as well as from third-party websites and applications, via integrated interfaces or via cookies placed on the user’s computer or mobile device. In addition, Meta Platforms links those data to the Facebook account of the user concerned and uses them for advertising purposes, among other things.
The German Federal Competition Authority prohibited Meta Platforms from processing data in accordance with Facebook’s terms of service and from implementing those terms, and imposed measures to stop it from doing so. The authority found that the data processing in question, which did not comply with the General Data Protection Regulation (GDPR), constituted an abuse of Meta Platforms’ dominant position on the social network market for private users in Germany.
Meta Platforms appealed against the decision of the above authority to the Higher Regional Court of Düsseldorf, which asks the Court of Justice whether national competition authorities are entitled to assess the compliance of data processing with the RGPD. In addition, the German court asks the Court about the interpretation and application of certain provisions of the GDPR.
In his Opinion delivered today, Advocate General Athanasios Rantos, first, takes the view that, while a competition authority does not have jurisdiction to rule on an infringement of the GDPR, it may nevertheless, in the exercise of its own powers, take account of the compatibility of a commercial practice with the GDPR. In that respect, the Advocate General emphasises that the compliance or non-compliance of that conduct with the provisions of the GDPR may, in the light of all the circumstances of the case, be an important indication of whether that conduct amounts to a breach of competition rules.
However, the Advocate General points out that a competition authority can only assess compliance with the
GDPR as an incidental question, without prejudice to the powers of the competent supervisory authority under that regulation. Therefore, the competition authority must take account of any decision or investigation by the competent supervisory authority, inform the latter of any relevant details and, where appropriate, consult it.
Secondly, the Advocate General is of the opinion that the mere fact that the undertaking operating a social network enjoys a dominant position on the national market for online social networks for private users does not call into question the validity of the consent of the user of that network to the processing of his personal data. Such a circumstance does, however, play a role in the assessment of the freedom of consent, which it is up to the data controller to demonstrate.
Thirdly, the Advocate General takes the view that Meta Platforms’ practice at issue, or some of the component parts thereof, may fall within the justifications provided for by the GDPR for the processing of data without the consent of the data subject, provided that the elements of that practice are actually necessary for the provision of the services relating to the Facebook account. However, the Advocate General considers that, although the personalisation of content and advertising, the continuous and seamless use of the Meta Platforms group’s services, the security of the network or the improvement of the product may be in the interests of the user or the data controller, those components of the practice at issue do not appear to be necessary for the provision of the abovementioned services.
Fourthly, the Advocate General notes that the prohibition on processing sensitive personal data, relating, for example, to racial or ethnic origin, health or sexual orientation of the data subject, may also relate to the data processing at issue. This is the case where the processed data, individually considered or aggregated, allow user profiling based on the sensitive characteristics referred to in the GDPR.
In this context, the Advocate General emphasises that, in order for the exemption to that prohibition, relating to data which the data subject has manifestly made public, to apply, the user must be fully aware that, by an explicit act, he is making personal data public. According to the Advocate General, conduct consisting in visiting websites and apps, entering data into those websites and apps and clicking on buttons integrated into them cannot, in principle, be regarded in the same way as conduct that manifestly makes public the user’s sensitive personal data.
The full text of the Opinion is published on the CURIA website on the day of delivery.