07 Jul 2023

Data Protection and Dominant Market Positions: Court Ruling Explores GDPR Compliance

On July 4, 2023, the Court of Justice of the European Union (“CJEU“) pronounced a momentous judgment in Meta Platforms and Others.  For the first time, the CJEU ruled that national competition authorities may determine GDPR infringements when examining an abuse of a dominant position.  The CJEU’s decision clarifies the relationship between the General Data Protection Regulation (“GDPR“) and EU competition law, establishing that they can coexist and complement each other without conflict.  The case centered on Meta Platforms Ireland, which runs Facebook in the EU.

The ruling has its roots in a decision issued by Germany’s antitrust regulator, the Federal Competition Authority – Bundeskartellamt (“FCO“), which followed an extensive investigation into Facebook’s operations.  Meta Platforms Ireland’s user data collection practices were scrutinized particularly their data and cookie policies.  Users registering on Facebook were bound by the company’s terms and conditions, enabling the collection and linking of user activities both on and off the social network.  Referred to as “off-Facebook data,” this included information about users’ visits to third-party websites and apps and their use of other Meta Group services like Instagram and WhatsApp.  This data was instrumental in delivering personalized advertising on the platform.

In response, the FCO expressly prohibited the processing of off-Facebook data without the express consent of German private users.  The FCO determined that Facebook holds a dominant position in the German social network market and has violated competition law by misusing this dominance through its data collection practices, which are non-compliant with the GDPR.

The CJEU addressed whether national competition authorities have the right to decide whether data processing operations comply with GDPR rules.  In addition, the CJEU underscored the possibility that competition authorities might need to consider non-competition norms, such as those outlined in the GDPR when investigating abuse of a dominant position.  However, the CJEU made it clear that if a national competition authority identifies GDPR violations, its job is not to replace the designated supervisory authorities but rather to demonstrate the abuse of a dominant position and implement appropriate remedies within the scope of competition law.

The CJEU emphasized the significance of consultation and collaboration between national competition authorities and the authorities in charge of GDPR enforcement to ensure consistent application of the GDPR.  Before a national competition authority evaluates a company’s compliance with GDPR rules, it must ascertain whether the relevant supervisory authorities or the Court has made any pertinent previous decisions.  Even if there are such rulings, the competition authority is not bound by them but must consider them while making conclusions based on competition law.

It is important to note that this judgment was preceded by the Opinion of AG Rantos, delivered on September 20, 2022.  It is a vivid example of the Advocate General’s role in navigating complex cases before the CJEU by proposing independent legal solutions and logical reasoning, often forming the basis of the ruling and its raison d’etre.  AG Rantos opined that a competition authority “does not have the competence to make a ruling, primarily, on a breach of [the GDPR] or to impose the penalties envisaged.” However, he also considered this irrelevant and reasoned that nothing in the GDPR prevents a competition authority “from being able to take account, as an incidental question, of the compatibility of conduct with the provisions of the GDPR.”

Ultimately, the competition authority is tasked with evaluating whether there has been a violation of competition law.  The CJEU’s decision raised important questions about how data is processed.  The CJEU investigated whether Meta Platforms Ireland’s handling of both sensitive and non-sensitive data complied with the lawful basis stated in the GDPR that allows data processing without explicit consent from the data subject.  The CJEU also questioned whether the Meta group’s personalized content and user-friendly services met the requirements considered objectively necessary and proportionate for providing social network services to data subjects.

Furthermore, the CJEU observed that the financial reasoning behind Facebook’s targeted advertising did not justify processing data without the user’s explicit consent.  The CJEU explained that having a dominant market position does not per se mean that users’ ability to provide valid consent under the GDPR is compromised.  What matters is how the dominant position affects users’ freedom of choice and the resulting power imbalance between the users and the company controlling their data.  These factors are crucial when determining whether consent is freely given.  However, as a dominant market position has the potential to impact users’ freedom of choice and create an imbalance between them and the data controller, it is significant in assessing the validity and, specifically, the voluntary nature of the given consent.

In this significant ruling, the Luxembourg-based Court approved giving antitrust authorities more leeway in Big Tech probes.  The ruling casts doubt on the rationale for data processing without express consent and highlights how crucial it is to protect user privacy.  In addition to emphasizing the importance of a balanced strategy between personalized advertising and user choice, it also draws attention to the impact of a dominant market position on the validity of permission.  This important ruling helps us understand how user rights, competition law, and data protection interact.



Branko Gabrić

Milica Novaković

Nikola Ivković