On 20 September 2022, Advocate General Rantos delivers his Opinion on the much-awaited Case C-252/21 (Meta Platforms v. Bundeskartellamt). Bearing in mind the Opinion intends to pave the way for the European Court of Justice (ECJ) regarding the interpretation of the GDPR, the text resonates with competition law and its interpretation in the display online advertising market.
The Questions Addressed to the Court and AG Rantos’ Approach
In February 2019, the German competition authority (FCO or Bundeskartellamt) found Meta – formerly Facebook – liable for an infringement concerning the collection, processing, aggregation, and use of personal data of its users. The FCO found an abuse of a dominant position, based on an infringement of the German competition law regime (Section 19(1) GWB) as well as Sections 307ff. of the German Civil Code. [1]
The competition authority’s theory of harm worked on the premise of the existing imbalance between Facebook’s users and the social network, as a consequence of the latter’s dominant position in the national market of social networking for private users. Based on this finding, the FCO drew out that Facebook’s users did not grant free and effective consent when signing up to Facebook through its terms of service, within the meaning of the GDPR. [2] Thus, an infringement of the GDPR based the finding of an exploitative abuse on Facebook’s side. The remedies imposed by the FCO prohibited Facebook from processing data as provided in the terms of service of its social network and from implementing them any further to new users joining the service.
On appeal, the Higher Regional Court of Düsseldorf referred up to seven questions to the ECJ regarding different aspects of the decision.
In terms of the intersection of competition law with the protection of personal data, the referring Court asked: i) whether the FCO was competent to find an infringement of the GDPR in its proceedings monitoring abuses of competition law (First Question, a), and ii) whether consent in the meaning of the GDPR can be effectively and freely given to a dominant undertaking such as Facebook (Sixth Question). Following the words of the referring Court’s working document, only if the latter question was answered in the negative, then the ECJ should address whether the FCO could assess whether Facebook’s data processing terms of service and their implementation comply with the GDPR (Seventh Question, a)).
On top of these questions, the referring Court also inquired about the validity of the FCO’s findings in light of Ireland’s Data Protection Commission (IDPC) decision issued in 2022 over the same case and conduct in the area of data protection, which reached a different conclusion to the Bundeskartellamt regarding Facebook’s data processing practices (First Question, b) and Seventh Question, b)). [3]
The rest of the questions addressed to the ECJ were directly related to the interpretation of the GDPR, although their outcome will have a direct impact on the business model of the main digital platforms, i.e., the tracking and massive collection and processing of data to profile users. On one side, the Second Question(a) and (b) concerned the interpretation of the prohibition of processing sensitive data in the context of profiling users. [4] On the other side, the Third, Fourth and Fifth Questions particularly addressed the lawfulness of processing performed by Facebook through its terms of service. [5]
Contrary to how the questions were addressed to the Court, AG Rantos analyses the First and Seventh Question subsequently, although they follow completely different lines of reasoning for the recurring Court. Surprisingly, these questions are dismissed quite quickly -the First Question in four paragraphs-, by AG Rantos, whereas the FCO’s findings are placed into a single category: the incidental knowledge of Facebook’s GDPR non-compliance within antitrust proceedings.
Questions One and Seven: The GDPR Can Be (Incidentally) Examined in Competition Law
To the question of whether the FCO was competent to establish a breach of the GDPR within an antitrust proceeding, AG Rantos answers in the negative. However, the Advocate General does not believe that this is what happened in the proceedings against Facebook regarding its data processing practices.
In the Opinion’s terms, the FCO “did not penalise a breach of the GDPR by Meta Platforms, but proceeded, for the sole purpose of applying competition rules, to review an alleged abuse of its dominant position while taking account, inter alia, of that undertaking’s non-compliance with the provisions of the GDPR”. Therefore, in AG Rantos’ view, the First Question falls through the cracks due to the factual evidence surrounding the case. The ‘primary’ analysis by a competition authority of a breach of the GDPR is unwarranted, based on the one-stop-shop principle set out in Articles 51 to 67 of the GDPR.
Instead, AG Rantos centres a great deal of attention on the FCO’s incidental analysis of the GDPR when applying competition rules. From his point of view, the conduct’s non-compliance with the GDPR can be considered in the broader analysis of the legal and economic context in which the conduct takes place, alongside the rest of the circumstances of the case. A prohibition on the competition authorities to interpret the GDPR’s provisions would call into question the effective application of EU competition law.
However, the lack of compliance with the GDPR of the conduct cannot balance out, just on its own, the lawfulness of a conduct under Articles 102 TFEU. A GDPR-compliant data processing data may breach competition rules and a GDPR non-compliant data processing conduct does not automatically mean that it breaches competition rules.
The Advocate General’s artificial construction on the primary and incidental analysis of the protection of personal data in competition law proceedings could add something to the ongoing debate, but it fails to capture the Bundeskartellamt’s decision. The GDPR was not applied incidentally in the case, nor it was considered within the larger economic and legal context surrounding the anticompetitive conduct. Without the initial infringement of the GDPR, which was principally grounded by the FCO (bearing in mind the German supervisory authority’s opinion), the whole anti-competitive conduct would not exist, at all. In other words, if the FCO would have found that user consent was granted freely and effectively, no further consequences, either in terms of data protection or in terms of antitrust, could have been drawn out by the German competition authority. Although AG Rantos’ tries to provide some clarity on the matter by providing clear concepts on the interaction between both fields of law, it works based on the wrong premise to start with.
In terms of substance, AG Rantos states that the GDPR and competition rules pursue different objectives, rules, and legitimate interests. Thus, if a competition authority decides to impose measures on an undertaking based on an interpretation of the GDPR, it would not trigger the safeguards of the ne bis in idem principle if an additional data protection supervisory authority ruled over the same set of facts.
Moreover, in the absence of adequate cooperation mechanisms [6], AG Rantos establishes the competition authority’s duty to inform and cooperate with the competent supervisory authority when beginning an investigation of the same practice and possibly to “await the outcome of that authority’s investigation before commencing its own assessment” (para 31). Contrary to this finding, AG Rantos presumes the FCO fulfilled its duties of diligence and sincere cooperation by contacting the Irish supervisory authority informally, before concluding its sanctioning proceedings against Facebook.
Question Six: Dominance Can Be Considered to Assess Free and Effective Consent
Consent was one of the few cornerstones that held up the Facebook v. FCO case. In the Bundeskartellamt’s view, Facebook’s users did not consent freely and effectively through the social network’s terms of service because there was an imbalance of power between the data controller (Facebook) and the data subject (the user). This was a manifestation of Facebook’s anti-competitive conduct. In my view, the FCO’s theory of harm is quite circular in this regard: dominance is a pre-condition to finding Facebook users did not have any bargaining power before the social network to choose their privacy preferences, and as a result, the abuse takes place through the exploitation of the user.
From a different perspective, AG Rantos confirms that Facebook users did not give their consent freely or effectively, bearing in mind the applicable data protection provisions. [7] AG Rantos rescues the concept of opt-in and lock-in of users from the FCO’s decision to establish the elements which can be considered to establish if consent was granted freely and effectively.
In turn, AG Rantos believes that the argument can also work the other way around. That is, dominance can be an element to assess whether users of a social network have given their consent freely. In a similar vein to the argument he used before regarding the intersection between the GDPR and competition law rules, the absence of a dominance position is not a guarantee either that consent has been granted freely and effectively by the user. Nothing is said, however, about the possibility of introducing the impact of free and effective consent into the antitrust analysis, i.e., when user exploitation is at hand.
Questions Two to Five: The Processing of Personal Data Performed Outdoors: The Profiling of Users
AG Rantos answers the questions addressed to the ECJ concerning the interpretation of the GDPR with a knowledgeable approach toward the massive collection, processing, aggregation, and use of personal data online. Throughout the four questions, an idea stands out as the groundwork for the rest of the AG’s conclusions: the Facebook v. FCO case does not only involve the personal data which is collected and explicitly inserted by the user when signing up to the service, but also the personal data which is retrieved from the tracking of the user outdoors of Facebook’s services. In other words, when the user signs up for the service, a great window is opened to Facebook to access a whole range of data produced on other sources different to Facebook. Then, the social network derives great value and insights from collecting and processing the data obtained outdoors to then aggregate it with its existing datasets.
As outrageous as it can sound, not only Facebook but the whole catalogue of digital platforms feed off of user data in the same way. Therefore, AG Rantos’ Opinion -and the outcome of the preliminary ruling, in general- may be conclusive to impose limits on the way platforms were processing personal data online up until this moment.
Following AG Rantos’ Opinion, the collection and processing of personal data throughout the user’s online interactions may fall within the scope of the prohibition of processing sensitive data insofar as users are constantly being profiled based on categories that emerge from sensitive data. Therefore, AG Rantos proposes that the prohibition of processing sensitive data extends to the subsequent aggregation of personal data to infer conclusions from user preferences and behaviour manifested online.
Contrary to Meta’s position throughout the proceedings and at the hearing held before the Court in May [8], AG Rantos does not believe that the exemption of Article 9(2)(e) of the GDPR should apply when firms profile users via this means. In his view, although a user visits websites and apps, enters data into a website or explicitly clicks buttons to derive control from her data, this cannot be interpreted as the data subject manifestly making public her personal data online. On one side, when signing up to Facebook, the user is not fully aware of making the whole set of her online interactions available to the general public. On the other side, even if consent was admitted as a legitimate basis to justify the processing of this data, following AG Rantos’ interpretation of profiling based on sensitive personal data, consent could not be sufficient to justify processing.
AG Rantos’ discards one by one Facebook’s proposed conditions to justify the processing of personal data.
In his viewpoint, the processing of personal data is not necessary for the performance of the contract concluded with the user [9], i.e., the processing of data is necessary to display “personalised content and continuous, seamless use of the group’s products/services”. AG Rantos sustains his argument on the interpretation of necessity as an autonomous concept of EU law. Necessary is not the same as being “sufficient” or “useful” for the performance of the contract. Instead, necessity should be measured objectively in the sense that there must be no realistic and less intrusive alternatives to perform the contract (para 54).
Considering Facebook’s wide-ranging tracking of users online, AG Rantos doubts that the processing of personal data is necessary to provide Facebook’s services altogether, and most importantly, it does not correspond with users’ reasonable expectations when signing up for the social network.
Following his argument, the personalisation of content and advertising, as well as product improvement and network security, will not constitute legitimate interests [10] either to justify the processing of (sensitive) personal data. In this sense, the user’s reasonable expectations, alongside the necessity of a high degree of personalisation on advertising and content, will have to be considered by the referring court to find admissible those legitimate interests.
Key Takeaways: A Green Light for GDPR Considerations and User Tracking Online Jeopardised
The Opinion of AG Rantos in the Facebook v. FCO will cause less of an impact than what it was first expected to be. No ground-breaking or landmark concepts are introduced into the mix, in terms of competition law. However, some ideas have been bounced off as a primer coming from the ECJ’s realm:
- Competition authorities do not have any competence to apply primarily the GDPR, i.e., find an infringement.
- An incidental consideration of the GDPR is admissible. The GDPR may be introduced within the wider scope of the legal and economic context surrounding the conduct, to establish whether the conduct entails resorting to other methods different to merit-based competition (para 23).
- The finding of dominance can influence the assessment of whether a user granted her consent freely and effectively to that same operator.
Although the preliminary ruling will mainly interpret the meaning of some of the GDPR’s words, if it follows the trail of AG Rantos, it can cause major damage in terms of the business model surrounding online advertising altogether. In terms of data protection, the most daring conclusions in the Opinion highlight that:
- The prohibition of processing sensitive personal data may be extended to indirect forms of processing, i.e., aggregating datasets with proprietary data belonging to tracking users online and then profiling them for economic purposes.
- When a user navigates online, the trail left on websites and apps in the form of identifiers, preferences and behaviour is not considered to be data that is being made public by the data subject.
- Facebook’s proposed grounds for legitimate processing of personal data may not be admissible, applying the objective necessity test.
Against this background, the ECJ has a massive task ahead of itself to counterbalance the efforts of AG Rantos for a stringent interpretation of data protection with detriment to online business models, or to confirm with a nuanced view the possible interactions between user privacy and antitrust.
______________________
[1] The German provisions establish the abusiveness of general terms and conditions in those cases where they are applied as a manifestation of market power or superior power of the party using these terms.
[2] Article 4 of the GDPR defines consent of the data subject as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
[3] According to Articles 51 and 56 of the GDPR, Ireland’s Data Protection Commission was the leading supervisory authority for Facebook’s case, insofar as its main establishment resided in Ireland. Following the GDPR, the leading supervisory authority is in charge of “the cross-border processing carried out by that controller or processor”.
[4] Article 9 of the GDPR prohibits the processing of sensitive data, although exemptions can apply. The most relevant exemption to the case can be found in Article 9(2)(e) GDPR when the “processing relates to personal data which are manifestly made public by the data subject”.
[5] Article 6 of the GDPR contains a list of reasons which justify the lawfulness of processing personal data. Even if only one reason applies for the processing, it will be lawful (and not only consent is a valid justification for processing).
[6] Although the GDPR contains cooperation mechanisms among data protection supervisory authorities, there are no ad hoc provisions concerning the relationship between supervision authorities and other administrative authorities.
[7] Recital 43 of the GDPR establishes that “consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller”.
[8] In the 10 May hearing, Meta held that a comparison should be drawn out between a user navigating online with a consumer walking down the street, in the sense that in both scenarios the user is making data about herself public, such as the streets she goes to vis-à-vis the websites she visits or the interests she manifests when buying in a shop vis-à-vis the online trail when she visits an online marketplace.
[9] The condition corresponds with Article 6(1)(b) of the GDPR.
[10] The condition corresponds with Article 6(1)(f) of the GDPR: “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party”.
________________________
To make sure you do not miss out on regular updates from the Kluwer Competition Law Blog, please subscribe here.