by Fatma Ceren Morbel
After Meta’s new conditions imposed on its users which put users into a “take it or leave it” situation, in 2016 the German Federal Cartel Office initiated an investigation against Meta Platforms (formerly Facebook). As a result of this new rule, users must consent to extensive disclosures of their personal information, otherwise Meta's services cannot be accessed by them. Moreover, in accordance with these terms, Meta Platforms collects data from other Meta Platforms group services, such as Instagram and WhatsApp, as well as data collected from third-party websites. In addition to advertising purposes, the collected data could be used for other purposes as well.
In 2019, the German Federal Cartel Office decided that Meta's actions constituted an abuse of dominant position due to the fact that its users did not grant free and effective consent when asked within the meaning of the GDPR.
As a result, the GDPR data protection boundaries had been exceeded, and Meta's dominant position in the relevant market required an analysis from a competition law standpoint. Therefore, Meta Platforms was prohibited by the German Federal Cartel Office from processing and implementing data in accordance with Facebook's terms of service, along with measures to prevent it from doing so.
Following that, Meta Platforms appealed to the Düsseldorf Higher Regional Court against the decision of the Federal Cartel Office. It was ruled by the Court that Meta did not have to imply the Federal Cartel Office’s decision. The case was referred to the Court of Justice by the Higher Regional Court in Düsseldorf following Meta's appeal to the Federal Cartel Office’s order to stop gathering data from its social media apps, including Facebook, Instagram, and WhatsApp, for the purpose of selling it to advertisers.[1] Two main questions are posed by the Higher Regional Court in Düsseldorf to the Court of Justice. First, whether national competition authorities are entitled to evaluate the compliance of data processing with the GDPR, and, second, how some provisions of the GDPR should be interpreted and applied.[2]
In September 2022, Advocate General Athanasios Rantos delivered his non-binding opinion on the case.[3] According to him, although a competition authority does not have jurisdiction to rule on an infringement of the GDPR, it may investigate the compatibility of commercial practices with data protection laws.
To the question whether a competition authority, when prosecuting a breach of competition rules, may rule primarily on the infringement of the GDPR he stated that the Federal Cartel Office “did not penalise a breach of the GDPR by Meta Platforms, but proceeded, for the sole purpose of applying competition rules, to review an alleged abuse of its dominant position while taking account, inter alia, of that undertaking’s non-compliance with the provisions of the GDPR”.[4] It should be noted that the compliance or non-compliance of the conduct with the provisions of the GDPR can be a significant tool to indicate whether the conduct constitutes a breach of competition rules.
Regarding the question whether a competition authority is entitled, when prosecuting infringements of the competition rules to establish, he expressed that a competition authority can only assess compliance with the GDPR as an incidental question without prejudice to the powers of the competent supervisory authority under that regulation. Thus, any decision or investigation made by the competent supervisory authority must be taken into account by the competition authority.
According to Advocate General Rantos, Meta does not have only the personal data collected when users sign up to the service, but also have the personal data entered into websites and apps that the data subject disclosed to it. Consequently, Meta is able to reach a large dataset. Rantos does not consider that such consent, in light of its specific purpose, is sufficient to justify the processing of sensitive personal data collected using the methods mentioned.[5]
As stated by the Advocate General, “[t]he prohibition on processing sensitive personal data does not apply if the processing relates to personal data which are manifestly made public by the data subject.”[6] However, despite the fact that a user visits websites or applications and enters personal information by clicking on a button to disclose that information, he notes that this cannot be interpreted as the data subject manifestly making its data public.
In the present case, only clicking on buttons cannot be regarded as manifestly making the user’s sensitive personal data within the meaning of the GDPR, since the user must be fully aware of it. Based on his assessment, he also doubts that the processing of personal data from other group services (including Instagram) is not necessary for the performance of the contract concluded with the user, as well as to what extent the processing may meet the expectations of an average user.
He points out the importance of Article 6(1)(f) of GDPR in which it is stated that “the processing of personal data is lawful only if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.” Product improvement cannot be regarded as such a justification, since it is in the interest of the user rather than the data controller.
We do not know yet how the European Court of Justice will decide the case. However, if it makes a decision in accordance with the opinion of Advocate General Rantos, it will be a step further to improve privacy rights all around Europe, since competition authorities will have the ability to assess the compatibility of data protection with competition law rules.
Nevertheless, the decision could bring to the fore other significant questions. Should competition authorities be entitled to assess all kinds of rules during their proceedings? If it can happen with data protection rules, “who” will be the next?
[1] Competition Policy International, EU Court Adviser Says German Watchdog Can Probe Meta’s Data Violations, 20 September 2022.
https://www.competitionpolicyinternational.com/eu-court-adviser-says-german-watchdog-can-probe-metas-data-violations/
[2] Court of Justice of the European Union Press Release No 158/22, According to Advocate General Rantos, a competition authority may, in exercising its powers, take account of the compatibility of a commercial practice with the General Data Protection Regulation, 20 September 2022.
https://curia.europa.eu/jcms/upload/docs/application/pdf/2022-09/cp220158en.pdf
[3] Case C-252/21: Meta Platforms and Others, Opinion of Advocate General Rantos, 20 September 2022.
[4] Case C-252/21: Meta Platforms and Others, Opinion of Advocate General Rantos, 20 September 2022. para. 18.
[5] Alba Ribera Martínez, Processing of Personal Data Inside Out: the Opinion of AG Rantos in C-252/21 (Meta Platforms v. Bundeskartellamt), 22 September 2022.
http://competitionlawblog.kluwercompetitionlaw.com/2022/09/22/processing-of-personal-data-inside-out-the-opinion-of-ag-rantos-in-c-252-21-meta-platforms-v-bundeskartellamt/
[6] Case C-252/21: Meta Platforms and Others, Opinion of Advocate General Rantos, 20 September 2022. para. 42.