It is permissible for national competition authorities investigating a competition matter to conclude that a breach of data protection law has taken place and to come to their own conclusions as to whether such a breach also constitutes anti-competitive conduct, the Court of Justice of the European Union (CJEU) has recently affirmed.
The implementation of data protection and competition law, as a norm, falls fairly and squarely within the remit of two different national authorities established by virtue of different legislative frameworks. By way of example, whereas the Office of the Information and Data Protection Commissioner (IDPC) is the national supervisory authority responsible for monitoring and enforcing data protection law, including the GDPR, the Malta Competition and Consumer Affairs Authority (MCCAA) is the national supervisory authority for competition law.
The facts of this case were briefly as follows. Meta Platforms Ireland operates the online social network Facebook within the EU. When registering with Facebook, its users accept the general terms drawn up by the company, including the data and cookies policies which provide that the company is entitled to collect data about user activities on and off the social network and link them with the Facebook accounts of the users concerned.
Such data relates to data concerning visits by Facebook users to third-party web pages and apps, as well as data concerning the use of other online services belonging to the Meta group such as Instagram and WhatsApp. The data thus collected by Meta Platforms then enables the latter to create personalised advertising messages for Facebook users.
The German national competition office prohibited the use of Facebook by private users resident in Germany from being subject, in the general terms, to the processing of their off-Facebook data and those data from being processed without their consent. It concluded that such processing was not consistent with the GDPR, and consequently constituted an abuse of that Meta Platforms Ireland’s dominant position on the German market for online social networks.
Upon the filing of an action before the German courts against this decision, the national court seized of the case filed a preliminary reference before the CJEU requesting guidance as to whether national competition authorities may, during a competition investigation, also review whether a data processing operation complies with the requirements set out in the GDPR. The national court also requested guidance on the interpretation and application of certain provisions of the GDPR to the processing of data by the operator of an online social network.
The CJEU observed that within the context of investigating breaches of competition law, such as abusive behaviour by a dominant company, it may be necessary for the national competition authority to also examine whether the undertaking’s conduct complies with rules other than those relating to competition law, such as the GDPR.
The operator must be able to prove that despite its dominant position, the user validly and freely provided his or her consent to the processing of his or her personal data
However, the court emphasised that where a national competition authority identifies an infringement of the GDPR, it does not replace the role played by the national authority empowered to implement data protection law. The sole purpose of the assessment of compliance with the GDPR by the competition authority should be merely to establish an abuse of a dominant position and impose measures to put an end to such abuse in terms of competition law.
Hence, where the national competition authority is of the opinion that it is necessary to examine whether an undertaking’s conduct is consistent with the GDPR, it must ascertain whether such conduct or similar conduct has already been the subject of a decision by the competent supervisory authority or the court. If that is the case, it cannot depart from it, although it remains free to draw its own conclusions from the point of view of the application of competition law.
In so far as Meta Platforms Ireland’s compliance with the GDPR is concerned, the CJEU proceeded to note that the data-processing operation carried out by the said company concerns special categories of data that may reveal, racial or ethnic origin, political opinions, religious beliefs or sexual orientation.
The court went on to examine whether, despite the strict approach adopted in the GDPR to the processing of such data, the processing of such ‘sensitive’ data was in this case permitted since such data were manifestly made public by the relevant data subject. The mere fact that a user visits websites or apps that may reveal such information does not in any way mean that the user is manifestly making his or her data public, the court affirmed.
The same applies where a user enters information into such websites or apps or where he or she clicks or taps on buttons integrated into them, unless an explicit a priori choice is made by the data subject to make such data relating to him or her publicly accessible to an unlimited number of persons.
In so far as the processing of other ‘non-sensitive’ data by Meta Platforms Ireland is concerned, the court examined whether such processing may be justified in terms of any one of the grounds provided for in the GDPR, which permit the processing of data despite the lack of consent on the part of the data subject. Such justifications include instances where data processing is necessary for the performance of a contract to which the data subject is party or where processing is necessary for the purposes of the legitimate interests pursued by the controller of the data.
The CJEU concluded that the first justification may only be upheld if the data processing in question is objectively indispensable for the main subject matter of the contract to be achieved. The CJEU expressed doubt as to whether this could be said to be the case in this instance. Similarly, the personalised advertising by which the online social network Facebook finances its activity cannot be said to be a legitimate interest pursued by Meta Platforms Ireland, which would justify the processing of the data at issue, in the absence of the data subject’s consent.
The CJEU went on to observe that the fact that the operator of an online social network, as controller, holds a dominant position on the social network market does not, as such, prevent its users from validly giving their consent to the processing of their personal data by that operator. However, the operator must be able to prove that despite its dominant position, the user validly and freely provided his or her consent to the processing of his or her personal data. This is due to the fact that a dominant position may affect the freedom of choice of users and create a situation of imbalance between them and the data controller.
This judgment has important implications for both operators enjoying a dominant position in a particular market as well as for national competition authorities.
While highlighting the special responsibility of dominant companies, particularly that of dominant online social network operators, to ensure that they do not use their power on the relevant market to influence their customers’ choice to provide consent or otherwise when it comes to the processing of their personal data, it also somewhat serves to dilute the compartmentalisation of supervisory roles held by different authorities.
Mariosa Vella Cardona is an independent legal consultant specialising in European law.