The main takeaways from the CJEU judgement in the Meta vs. Bundeskartellamt (C-252/21) case 

On the 4th of July 2023, the CJEU finally ruled on the judgement in the case Meta vs. Bundeskartellamt (C-252/21). This judgement states essential considerations about the legal grounds for processing, sensitive personal data and the competition authorities’ powers concerning the GDPR.

A brief overview of the case 

How does Meta collect personal data?

For processing personal data, Meta relies on the user agreement. It is concluded when Facebook users click on the ‘Sign up’ button, thereby accepting the general terms. Meta collects user- and device-related data about user activities on and off Facebook and links it with the Facebook accounts of the users concerned. 

The data relating to activities outside the social network (the off-Facebook data) are data concerning:

• visits to third-party web pages and apps, which are linked to Facebook through Facebook Business Tools;
• data concerning the use of other online services belonging to the Meta group, including Instagram and WhatsApp.

How did the case start?

This case started in 2019 when the Federal Cartel Office brought proceedings against Meta Platforms, Meta Platforms Ireland, and Facebook Deutschland, as a result of which it essentially prohibited those companies from:

• making the use of Facebook by private users resident in Germany subject to the processing of their off-Facebook data and 
• processing the data without their consent on the basis of the general terms in force at the time. 

The Federal Cartel Office based its decision on the fact that the processing of the data of the users concerned, as provided for in general terms, constituted an abuse of that company’s dominant position on the market for online social networks for private users in Germany. The processing of the off-Facebook data they provide is inconsistent with the underlying values of the GDPR. 

On 11 February 2019, Meta Platforms, Meta Platforms Ireland, and Facebook Deutschland brought an action against the decision of the Federal Cartel Office before the Oberlandesgericht Düsseldorf (Higher Regional Court, Düsseldorf, Germany).

The Oberlandesgericht Düsseldorf had different doubts concerning this case and decided to stay the proceedings and refer the request to the Court of Justice for a preliminary ruling.

Finally, on the 4th of July 2023, the CJEU ruled on the judgement in this case (C-252/21) with answers to questions posed by the German court. 

This judgement is remarkable because it basically prohibits controllers from relying on legal grounds other than freely given consent for personalised advertisement. Meta tried to present advertisements as a part of the service that it contractually owes the users, and the CJEU closed this door. 

What were the questions and the CJEU answers?

• Interpretation of legal bases for processing (Art. 6 and 9 of the GDPR)
• Art. 6(1) (b) – performance of a contract 

Personalised content and the consistent and seamless use of the Meta group’s own services are elements intended to ensure the proper performance of the contract concluded between Meta and its users.

The CJEU states that where the contract consists of several separate services or elements of a service that can be performed independently of one another, the applicability of Article 6(1)(b) of the GDPR should be assessed in the context of each of those services separately.

The Court emphasises that Article 6(1)(b) of the GDPR must be interpreted as meaning that the processing of personal data is objectively indispensable for a purpose that is integral to the contractual obligation intended for those users, such that the main subject matter of the contract cannot be achieved if that processing does not occur.

Personalised content

The CJEU declares that personalised content does not appear to be necessary in order to offer that user the services of the online social network. Those services may, where appropriate, be provided to the user in the form of an equivalent alternative that does not involve such a personalisation.

The consistent and seamless use of the Meta group’s own services

The Court states that there is no obligation to subscribe to the various services offered by the Meta group in order to create a user account on the social network Facebook. The various products and services offered by that group can be used independently of each other, and the use of each product or service is based on the conclusion of a separate user agreement. Therefore, the processing of personal data from services offered by the Meta group, other than the online social network service, does not appear to be necessary for the latter service to be provided.

Art.6 (1) (f) – legitimate interest

According to the CJEU, Article 6(1)(f) of the GDPR must be interpreted as meaning that such processing can be regarded as necessary for the purposes of the legitimate interests only on condition that the operator has informed the users of legitimate interest, that such processing is carried out only in so far as is strictly necessary for the purposes of that legitimate interest and that the interests or fundamental freedoms and rights of those users do not override that legitimate interest of the controller or of a third party.

Personalised advertisement 

The Court states that despite the fact that the services of an online social network such as Facebook are free of charge, the user of that network cannot reasonably expect that the operator of the social network will process that user’s personal data, without his or her consent, for the purposes of personalised advertising. 

The interests and fundamental rights of such a user override the interest of that operator in such personalised advertising by which it finances its activity, with the result that the processing by that operator for such purposes cannot fall within the scope of Article 6(1) (f) of the GDPR.

Product improvement

The CJEU declares that subject to final assessment by the referring court in that respect, it appears doubtful whether, as regards the data processing at issue in the main proceedings, the ‘product improvement’ objective, given the scale of that processing and its significant impact on the user, as well as the fact that the user cannot reasonably expect those data to be processed by Meta Platforms Ireland, may override the interests and fundamental rights of such a user, particularly in the case where that user is a child.

Sharing of information with law enforcement agencies in order to prevent, detect and prosecute criminal offences

The Court states that this objective is not capable, in principle, of constituting a legitimate interest pursued by the controller within the meaning of Article 6(1) (f) of the GDPR. A private operator such as Meta Platforms Ireland cannot rely on such a legitimate interest, which is unrelated to its economic and commercial activity. 

Art.6 (1) (c)  – legal obligation 

According to the CJEU, it will be for that court to assess, in the light of Article 6(1) (e) of the GDPR, whether Meta was entrusted with a task carried out in the public interest or in the exercise of official authority, in particular with a view of carrying out research for the social good and to promote safety, integrity and security, bearing in mind that, given the type of activity and the essentially economic and commercial nature thereof, it seems unlikely that that private operator was entrusted with such a task.

Art. 6(1) (d) – protect vital interests

The Court emphasises that in view of the nature of the services provided by the operator of an online social network, such an operator, whose activity is essentially economic and commercial in nature, cannot rely on the protection of an interest which is essential for the life of its users or of another person in order to justify, absolutely and in a purely abstract and preventive manner, the lawfulness of data processing such as that at issue in the main proceedings.

Art. 6(1) (a) – consent 

According to the CJEU, the fact that the operator of an online social network, as controller, holds a dominant position on the social network market does not, as such, prevent the users of that social network from validly giving their consent, within the meaning of Article 4(11) of the GDPR. However, the existence of such a dominant position may create a clear imbalance between the data subject and the controller.

Therefore, the CJEU states that it is appropriate, within the meaning of recital 43, to have the possibility of giving separate consent for the processing of data relating to users’ conduct within the social network, on the one hand, and the off-Facebook data, on the other. 

To sum up, Meta (and other operators of online social networks) may process personal data based on legal grounds other than consent (as the performance of a contract or legitimate interests) only to provide the core products such as messaging or sharing content. All other processing (like advertisement and sharing personal data) requires freely given user’s consent.

Processing of sensitive personal data by Meta 

The Facebook user visits flirting apps, gay dating sites, political party websites, or health-related websites or also enters information into them. The user also clicks or taps on the buttons integrated into them, such as the ‘Like’ or ‘Share’ buttons or the buttons enabling the user to identify himself or herself on those sites or apps using the Facebook login credentials. That may reveal information falling within one or more of the special categories of personal data.

Under the derogation laid down in Article 9(2)(e) of the GDPR, the fundamental prohibition of any processing of special categories of personal data does not apply in the circumstance where the processing relates to personal data which are ‘manifestly made public by the data subject’.

The CJEU emphasises that the derogation applies only to data that are manifestly made public ‘by the data subject’. Accordingly, it is not applicable to data concerning persons other than the person who made those data public. 

The user manifestly makes public, within the meaning of Article 9(2)(e), the data thus entered or resulting from the clicking or tapping on those buttons only in the circumstance where he or she has explicitly made the choice beforehand, as the case may be on the basis of individual settings selected with full knowledge of the facts, to make the data relating to him or her publicly accessible to an unlimited number of persons.

The relations between a national competition authority and a supervisory authority 

The supervisory authorities and the national competition authorities perform different functions and pursue their own objectives and tasks.

However, the Court states that in the light of the duty of sincere cooperation enshrined in Article 4(3) TEU, when national competition authorities are called upon, in the exercise of their powers, to examine whether an undertaking’s conduct is consistent with the provisions of the GDPR, they are required to consult and cooperate sincerely with the national supervisory authorities concerned or with the lead supervisory authority, all of which are then bound, in that context, to observe their respective powers and competences, in such a way as to ensure that the obligations arising from the GDPR and the objectives of that regulation are complied with while their effectiveness is safeguarded.

Therefore, a national competition authority and a supervisory authority are two separate authorities with different tasks. However, they must cooperate, especially when a national competition authority conducts an investigation into the abuse of dominant position connected with the GDPR violations.

What does this judgement mean for GDPR compliance of your digital business?

• Operators of online social networks may process personal data based on legal grounds other than consent (as the performance of a contract or legitimate interests) only to provide the core products such as messaging or sharing content. All other processing (like advertisement and sharing personal data) requires freely given user’s consent.
• Special categories of personal data are not manifestly made public if such data is revealed based only on a user’s website or app visit. It requires he or she to have explicitly made the choice beforehand.

National competition authorities, during their investigations, are allowed to examine whether the GDPR has been infringed.