On 4 July 2023, the Court of Justice resolved the conundrum around the potential interaction between data protection regulation and competition law following the legal opera that started in 2019 with the German competition authority’s case against Facebook/Meta’s processing activities (for a summary of the case, see here). The ruling hops onto Advocate General Rantos’ Opinion (for a comment on the Opinion, see here) but shies away from the main points of contention regarding the contours and limitations of the application of the GDPR in the antitrust framework.
Even though the Bundeskartellamt has been quick in responding and celebrating the ruling, the Court of Justice’s judgment is much more nuanced and goes much further than simply accepting the interaction between both fields of law in the positive or the negative in an all-or-nothing fashion. Instead, the CJEU sparks up the discussion by remarking that data are relevant to appraising the economic background and operations of the main digital platforms, but it also implicitly reprimands the German competition authority for overstretching its powers well over its initial competences.
One must not forget, however, that the ruling, although essentially directed at a national competition authority (NCA), is not entirely dedicated to providing guidance in the interpretation of Article 102 TFEU, but rather to the consideration of the GDPR in the context of the FCO’s idiosyncratic application of Section 19(1) GWB (which pursues and goes further in scope than the objectives pursued by the European-wide conception of the prohibition of an abuse of a dominant position). Against this background, the post is divided into two main parts. The first part disentangles the CJEU’s findings on the potentiality of incorporating data protection concerns into the competition law analysis (Questions 1 and 7 of the preliminary ruling), whereas the second part of the post addresses the rest of the questions addressed to the Court relating to the interpretation of the GDPR (Questions 2, 3 to 5 and 6).
The outset of the case: Not a neutral recalling of the facts?
Before answering the questions addressed to it, the Grand Chamber provides a summary of Facebook’s processing activities. In that respect, however, one might say that the Court’s depiction of the social network’s business model is somewhat disconnected from reality. The CJEU remarks that Meta’s operations are mainly subsidised via online advertising, given that access to the social network and the rest of the apps and services of the Meta family are catered for free. So far, so good. Nonetheless, the Court goes on to establish that Facebook’s business model and online advertising activities are made possible, in technical terms, by the automated production of detailed profiles in respect of network users and the users of the online services offered at the level of the Meta group (para 27). One could get a sense from this first statement that the Court believes that it is technical impossibility, and not economic and strategic decisions delivered on Facebook’s side, that drive the platform’s exploitation of user data. Unlike this first indulgent remark, the CJEU will go on by interpreting that other privacy-enhancing business models (or, to the contrary, not-data-intensive operations) are viable alternatives to sustain Facebook’s activities. The Court will not do so until the interpretation of the GDPR is performed, and the statement is, first off, hinting at a bold remark on the side of the Grand Chamber: Meta is, technically speaking, incapable of devising its business model in any other way to bring its operations in compliance with the law.
The CJEU explains Facebook’s vast processing of personal data, via three different manifestations: i) the collection of that data both within Meta’s own services and apps as well as in third-party web pages and sites (coined as the off-Facebook data); ii) the linking and the processing of the latter with the former to gain greater knowledge and insights on users preferences, needs and likes online; and iii) the use of that data in a myriad of applications, such as by fine-tuning its own services in accordance with user preferences or catering online advertising tailored for the user in a micro-directed fashion (para 28).
Moreover, the Court goes on to draw out the backs-and-forths relating to the Bundeskartellamt, the Higher Regional Court of Düsseldorf’s and the Federal Court of Justice’s intervention which derived into the preliminary ruling. Notwithstanding, the Court agrees with AG Rantos in establishing that the FCO did not draw out a finding of anti-competitive harm from a breach in the GDPR. Instead, the Court establishes that the Bundeskartellamt’s analysis of Facebook’s processing activities attempted to capture whether those operations remained consistent with the underlying values of the GDPR (para 30). The outright distinction in depicting the case is nuanced but substantive: the same conclusions would not have been drawn out if the Grand Chamber was of the opinion that the FCO had applied the GDPR directly to the case (albeit the nationally-idiosyncratic procedural nuances) which is pre-emptively barred from happening -just as AG Rantos pinpointed in para 18-.
Nonetheless, that is not the reading of the Court of Justice over the case: the FCO’s thorough analysis in setting out and examining one by one the legal requirements under the GDPR to establish a breach of competition law was not one of substantively interpreting the data protection regulation without power or competence, but that of checking out the consistency in which Facebook had performed its processing in line with its obligations under the GDPR. Notwithstanding, the Court of Justice later remarks that the FCO covertly considered non-compliance with the GDPR for the sole purpose of establishing an abuse and imposing measures to put an end to that abuse on a legal basis derived from competition law (para 49). For the sake of clarity, let’s say that one accepts this preliminary thought on the side of the Court of Justice so as to draw out the ultimate consequences of bringing data protection regulation and antitrust together.
One-Way Street as a Vital Clue and Two-Way Avenue as an Important Factor
The Court of Justice faced its moment of truth as long as the interaction of data protection and competition law is concerned. The Higher Regional Court of Düsseldorf handed down the question in a silver plate to the judges: does the taint of consistency ordered under Article 55(1) of the GDPR exclude the NCAs finding of an abuse based on a prior (and home-made) infringement of the EU-wide data protection regulation? In short, the Court’s answer is no. However, the answer is not based on the firm standing ground providing for guidance in this respect, but rather on the lack of it. Both the GDPR and Articles 101 and 102 TFEU do not preclude the interaction from unravelling, so it is not contrary to EU law to assert that the GDPR is not put at odds when a national competition authority appraises its provisions in the antitrust framework.
In this regard, the Court of Justice points out that under data protection regulation the data protection supervisory authority is only competent for the performance of the tasks assigned to it and the exercise of the powers conferred on the territory of its own Member State (see Case-645/19 here, para 47 for further reference). Thus, those tasks are those of monitoring and enforcing the application of the GDPR to safeguard the fundamental rights and freedoms enshrined in the Charter to the benefit of natural persons with regards to the processing of their personal data as well as to ensure the free flow of such data, to the extent possible and within the limits of the law. In doing that, those same supervisory authorities must ensure that they cooperate with each other to ensure a consistent application and interpretation across the different Member States (in line with the GDPR’s Article 114 legal basis aimed at avoiding fragmentation regarding the regulatory intervention of each of the Member States on the topic). In the context of the GDPR, the materialisation of those tasks and cooperation is fleshed out through the one-stop-shop mechanism.
Hence, in the absence of rules, NCAs are not prevented from finding, in the performance of their duties, that the data processing operations carried out by an undertaking in a dominant position and assess whether this finding may make them liable for an abuse when lack of compliance with regulation is presented before itself (paras 42 and 43). Given that NCAs and data protection supervisory authorities fulfil and perform different functions with different objectives and tasks in mind, the competences of one and another do not collide, in principle.
The Court of Justice’s line of reasoning follows word by work AG Rantos’ Opinion, which is consistent with prior case law setting out that the compliance of conduct with specific legislation does not preclude the applicability to that conduct of Articles 101 and 102 TFEU (see, in particular, C-457/10 AstraZeneca v Commission, para 132). By this token, the Court of Justice also agrees on the fact that although compliance with the GDPR does not pre-empt the finding of an abuse, it can be considered within the ‘all-of-the-circumstances’ analysis and, in this context, it may even be a vital clue to assess whether the conduct entails resorting to methods prevailing under merit-based competition (AG Rantos Opinion, para 23). The Court of Justice, adds, however, that this element may also be assessed to draw out the consequences of a certain practice in the market or for consumers (para 47). By doing so, however, the Court of Justice remarks that NCAs are not replacing the role of data protection supervisory authorities because they do not act within the powers and tasks conferred upon them under Articles 51(1) and 57 of the GDPR (para 49).
Be that as it may, the Court of Justice plays out with the argument of accepting the consideration of the GDPR within the wider context of antitrust, and extends it into recognising that the access and the use of personal data are of great importance in the context of the digital economy, especially with regards to those business models providing their financing through the marketing of personalised advertising. Hence, the argument goes, the access to personal data and the fact that digital platforms may process that data (after collecting and linking them into large datasets) may be considered as a parameter of competition between the undertakings in the digital economy. The opposite conclusion would disregard the reality of digital economic development and undermine competition law’s effectiveness altogether (paras 50 and 51).
This formula is nothing new to EU competition law, since the European Commission termed privacy as a parameter of competition in Microsoft/LinkedIn (para 350), whereas it later assigned it with the value of an aspect of quality in its draft revised Market Definition Notice (para 12). By terming access and the capacity to process personal data as a parameter of competition, the Court of Justice abstains from the normative preference of privacy-enhancing business models (more privacy is better for the consumer) to assert that the degree of access and the capacity to process are relevant to the competitive dynamics, detached from their implications regarding the scope of the GDPR.
From the foregoing, then, one gets a sense that a platform’s activities may be a vital clue to assessing the undertaking’s deviation from normal competition, but the same does not seem to apply with respect to the relationship with the consideration of dominance in interpreting the GDPR (para 151). In this regard, the Court of Justice highlights that dominance may be but an important factor in determining whether user consent can be, in fact, validly granted to enable the data controller’s processing activities. Hence, the interaction between both fields of law considers the abusive nature of the undertaking’s conduct, whereas abusiveness may not be, in turn, reconvened into a relevant factor when assessing whether the platform may process personal data lawfully and legally.
The obligation to cooperate with supervisory authorities and the NCAs’ necessity to consider data protection regulation
Even though, in light of the foregoing, the Court of Justice’s ruling could be read in the sense of providing ample leeway for incorporating data protection considerations into the antitrust analysis, the CJEU provides some limitations at the institutional outset of the interaction to narrow down the NCAs’ capacity to produce their findings based on the GDPR’s predicaments. Once again, the Court of Justice free-rides on the arguments presented by AG Rantos in his Opinion and goes a step further. In the absence of rules governing the cooperation between NCAs and data protection supervisory authorities, they are, at least, both bound by the duty of sincere cooperation under Article 4(3) TEU (AG Rantos Opinion, para 28).
Once put into action, this duty frames a whole set of scenarios before it. In principle, the NCA must first consult and cooperate with the national data protection supervisory authorities concerned or the lead supervisory authority in order to observe, if relevant, their respective powers and competences (para 54). Therefore, even in the absence of a risk of divergence, the NCAs are bound to consult first the data protection supervisory authority that would be competent under the GDPR to resolve a particular topic.
Alternatively, in the presence of a risk of interpreting the GDPR in a divergent manner concerning the same or similar general terms presented by the same undertaking, then the principle of necessity kicks in (paras 55 and 56). Although the Court of Justice does not flesh out exactly what necessity means in this context, it is quite clear that the NCAs’ capacity to interpret the provisions and values of the GDPR in the antitrust framework is circumscribed to those occasions where that analysis is necessary to rule, in the context of a decision of an abuse of a dominant position, on whether the undertaking’s conduct complies with rules other than those relating to competition law, i.e., those laid down by the GDPR (paras 48 and 56). Thus, in my own mind, the Court of Justice implicitly hints at a substantive limitation before an NCAs overarching and comprehensive antitrust analysis concerning the application of data protection provisions. The threshold of necessity must be surpassed and then, and only then, the NCA must engage in cooperation with the supervisory authorities concerned with the particular case.
Within this wider duty to cooperate, in the presence of a prior decision concerning the same facts, although the NCA cannot depart from them, it can draw its own conclusions because the application and interpretation of competition law correspond solely to it (para 56). There is, again, no preclusion between both fields of law, insofar as the NCAs are provided with ample leeway to decide differently (or even in contradiction) from a data protection supervisory authority’s ‘binding’ decision.
Descending those scenarios into reality, the Court of Justice upheld the Bundeskartellamt’s intervention insofar as it fulfilled its cooperation obligations sufficiently by contacting national and regional supervisory authorities which could be deemed to be sufficiently competent to decide the same case under the lens of data protection (paras 60 and 61).
Meta’s processing activities are at odds with the GDPR
After resolving the much-expected tension between data protection and competition law, the Court of Justice responds to the rest of the questions addressed by the referring court, too, relating to whether Facebook’s processing activities were lawful in light of the GDPR’s provisions. In this regard, the ruling is not so lenient and nuanced towards performing a balancing act and defining the limitations of the interplay, but rather it is more blunt in its conclusions. In short, the Court of Justice considers that, but for a few aspects of Meta’s processing of personal data, the German competition authority was right in establishing that the data protection regulation was disregarded by Facebook when justifying the exploitation and processing of user data via its operations.
First off, the CJEU establishes that the processing of off-Facebook data was prohibited under Article 9(2) GDPR, given that special categories of personal data were processed without the end user’s consent and knowledge of the real-life consequences of registering into the social network. In this regard, the Court of Justice only remarks that it will be for the referring court to assess whether users were sufficiently informed to provide their explicit consent when using the Facebook ‘Like’ and ‘Share’ buttons on those third-party web pages so that the derogation of the data subject manifestly making public her own personal data under Article 9(2)(e) of the GDPR applies.
Second, the Court of Justice engages directly with Facebook’s legal basis, under Articles 6(1)(b)-(e) of the GDPR, for processing user personal data within their services and apps and in third-party websites. In sum, the Court of Justice provides a narrow space for interpretation to the referring court to find in favour of Meta as far as the legitimisation of their processing activities is concerned.
And finally, the Court of Justice undermines Meta’s capacity to frame and justify its processing activities in light of the granting of end-user consent under Article 6(1)(a) of the GDPR, irrespective of the fact that holding a dominant position does not, in principle, prevent the users of a social network from validly granting their consent (para 147). In this regard, the Court of Justice’s findings do not differ much from the Irish Data Protection Commission’s decisions against Meta for its processing of personal data, even though the Court of Justice brings forward a valuable argument as a counterfactual of sorts to Meta’s current business model. Despite the fact that its current monetisation strategies are directed at subsidising its services via online advertising, Meta does have the capacity to produce equivalent alternatives for catering their products online where processing operations are not performed at such a large scale or even at all, albeit it meaning that users may have to correspond with an appropriate fee to cover for the service’s value (para 150).
In spite of the fact that the Court of Justice’s ruling has provided joy amongst (some) scholars and (some) NCAs because of its adamant position in bringing forward and acknowledging the tension between data protection regulation and competition law, the case has set in stone a nuanced approach towards the integration without pre-empting the legal discourse towards privacy-enhancing (or less data-intensive) business models. By doing that, the Court of Justice paves the way out to the referring court’s decision as well as to the case’s final resolution -despite that efforts on the side of the German competition authority are redirected to achieving architecture design changes in Meta’s interfaces to the benefit of consumers, see press release here-, regardless that the final word in stopping the massive harvesting of personal data may not come from competition law after all but from the implementation of Article 5(2) of the DMA.
Against this background, the Court of Justice steers the consideration of the access and processing of personal data into a parameter of competition in the digital arena, but not to a goal, standard or indicator which can be applied across the board into EU competition law.