Case C‑252/21
Meta Platforms Inc., formerly Facebook Inc.,
Meta Platforms Ireland Ltd, formerly Facebook Ireland Ltd,
and
Facebook Deutschland GmbH
v
Bundeskartellamt
(Reference for a preliminary ruling from the Oberlandesgericht Düsseldorf)
Judgment of the Court (Grand Chamber), 4 July 2023
(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Online social networks – Abuse of a dominant position by the operator of such a network – Abuse which entails the processing of the personal data of the users of that network as provided for in its general terms of use – Powers of a competition authority of a Member State to find that processing not consistent with that regulation – Reconciliation with the powers of the national data protection supervisory authorities – Article 4(3) TEU – Principle of sincere cooperation – Points (a) to (f) of the first subparagraph of Article 6(1) of Regulation 2016/679 – Whether the processing is lawful – Article 9(1) and (2) – Processing of special categories of personal data – Article 4(11) – Concept of ‘consent’)
1. Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Online social networks – Abuse of a dominant position by the operator of such a network – Abuse which entails the processing of the personal data of the users of that network as provided for in its general terms of use – Powers of a national competition authority to find that processing not consistent with that regulation – Scope – Reconciliation with the powers of the national data protection supervisory authorities – Duty of sincere cooperation of the national competition authority with the national supervisory authorities
(Art. 4(3) TEU; Art. 102 TFEU; European Parliament and Council Regulation 2016/679, Arts 51, 55 to 58, 60 to 65)
(see paragraphs 48-59, 62, 63, operative part 1)
2. Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Processing of special categories of personal data – Concept – Collection, by the operator of an online social network, by means of integrated interfaces, cookies or similar storage technologies, of data from visits to websites and apps and of the information entered by the user of that social network – Linking of all those data with that user’s social network account and use of those data by that operator – Included – Conditions
(European Parliament and Council Regulation 2016/679, recital 51 and Art. 9(1))
(see paragraph 73, operative part 2)
3. Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Processing of special categories of personal data – Prohibition – Exceptions – Processing relating to data manifestly made public by the data subject – Data relating to visits, by the user of an online social network, to websites or apps to which one or more of the special data categories relate, collected by the operator of that social network via cookies or similar storage technologies – Not included – Entering of information into such websites or apps or clicking or tapping on buttons integrated into them or on buttons enabling the user to identify himself or herself on those sites or apps by using the login credentials linked to his or her online social network user account – Included – Conditions
(European Parliament and Council Regulation 2016/679, Art. 9(1) and (2)(e))
(see paragraphs 84, 85, operative part 3)
4. Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Conditions governing the lawfulness of the processing of personal data – Processing necessary for the performance of a contract binding on the data subject – Concept – Collection, by the operator of an online social network, of the data of the users of such a network from other services of the group to which that operator belongs or of the data from visits by those users to third-party websites or apps – Linking of those data with the social network accounts of those users and use of those data – Included – Conditions
(European Parliament and Council Regulation 2016/679, Art. 6(1), first subpara., (b))
(see paragraphs 91-93, 97-104, 125, operative part 4)
5. Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Conditions governing the lawfulness of the processing of personal data – Processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party, on condition that the interests or fundamental rights and freedoms of the data subject requiring data protection do not prevail – Concept – Collection, by the operator of an online social network, of the data of the users of such a network from other services of the group to which that operator belongs or of the data from visits by those users to third-party websites or apps – Linking of those data with the online social network accounts of those users and use of those data – Included – Conditions
(European Parliament and Council Regulation 2016/679, recitals 47 and 49, Art. 6(1), first subpara., (f))
(see paragraphs 105-124, 126, operative part 5)
6. Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Conditions governing the lawfulness of the processing of personal data – Processing necessary in order to protect the vital interests of the data subject or of another natural person – Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority pursued by the controller – Concept – Collection, by the operator of an online social network, of the data of the users of such a network from other services of the group to which that operator belongs or of the data from visits by those users to third-party websites or apps – Linking of those data with the social network accounts of those users and use of those data – Not included – Verification a matter for the national court
(European Parliament and Council Regulation 2016/679, recital 46, Art. 6(1), first subpara., (d) and (e))
(see paragraphs 137, 139, operative part 7)
7. Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Conditions governing the lawfulness of the processing of personal data – Processing necessary for compliance with a legal obligation on the part of the controller – Concept – Collection, by the operator of an online social network, of the data of the users of such a network from other services of the group to which that operator belongs or of the data from visits by those users to third-party websites or apps – Linking of those data with the social network accounts of those users and use of those data – Included – Conditions
(European Parliament and Council Regulation 2016/679, Art. 6(1), first subpara., (c))
(see paragraph 138, operative part 6)
8. Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Concept of ‘consent’ – Dominant position on the online social networks held by the operator of an online social network – Circumstance not preventing the users of such a network from validly giving consent to the processing of their data by that operator – Circumstance constituting an important factor for the purposes of determining whether the consent thus given by the users of that social network was validly and, in particular, freely given – Burden of proof borne by the operator of that social network
(European Parliament and Council Regulation 2016/679, recitals 42 and 43, Arts 4(11), 6(1), first subpara., (a), and 9(2)(a))
(see paragraphs 143-154, operative part 8)
Résumé
Meta Platforms owns the online social network Facebook, which is free of charge for private users. The business model of that social network is based on financing through online advertising, which is tailored to its individual users. That advertising is made possible in technical terms by the automated production of detailed profiles in respect of the network users and the users of the online services offered at the level of the Meta group. In order to be able to use that social network, when they register, users must accept the general terms drawn up by Meta Platforms, which refer to the data and cookies policies set by that company. Under those policies, in addition to the data which those users provide directly when they register, Meta Platforms also collects data about user activities on and off the social network and links the data with the Facebook accounts of the users concerned. The latter data, also known as ‘off-Facebook data’, are data concerning visits to third-party webpages and apps as well as data concerning the use of other online services belonging to the Meta group (including Instagram and WhatsApp). The aggregate view of the data thus collected allows detailed conclusions to be drawn about those users’ preferences and interests.
By decision of 6 February 2019, the Bundeskartellamt (Federal Cartel Office, Germany), prohibited Meta Platforms, first, from making, in the general terms in force at the time, (1) the use of the social network Facebook by private users resident in Germany subject to the processing of their off-Facebook data and, second, from processing those data without their consent. In addition, the Federal Cartel Office required Meta Platforms to adapt those general terms in such a way that it is made clear that those data will neither be collected nor linked with Facebook user accounts nor used without the consent of the users concerned. Last, the office clarified that such a consent was not valid if it was a condition for using the social network. It based its decision on the fact that the processing of the data at issue, which it found to be inconsistent with the GDPR, (2) constitutes an abuse of Meta Platforms’s dominant position on the market for online social networks.
Meta Platforms brought an action against that decision before the Oberlandesgericht Düsseldorf (Higher Regional Court, Düsseldorf, Germany). Having doubts as to (i) whether national competition authorities may review whether the processing of personal data complies with the requirements set out in the GDPR and (ii) the interpretation and application of certain provisions of that regulation, the Higher Regional Court, Düsseldorf, referred the matter to the Court of Justice for a preliminary ruling.
By its judgment, the Court, sitting as the Grand Chamber, rules on the powers of a national competition authority to find that the processing of personal data is not consistent with the GDPR as well as on how to reconcile this with the powers of the national data protection supervisory authorities. (3) Moreover, it provides clarification on whether users’ ‘sensitive’ personal data may be processed by the operator of a social network, on the conditions for lawful data processing by such an operator and on whether consent given for the purposes of such processing by those users to an undertaking holding a dominant position on the national market for online social networks is valid.
Findings of the Court
In the first place, with regard to the powers of a competition authority to find that the processing of personal data is not consistent with the GDPR, the Court holds that, subject to compliance with its duty of sincere cooperation (4) with the data protection supervisory authorities, such an authority can find, in the context of the examination of an abuse of a dominant position by an undertaking, (5) that that undertaking’s general terms of use relating to the processing of personal data and the implementation thereof are not consistent with that regulation, where that finding is necessary to establish the existence of such an abuse. Nevertheless, where a competition authority identifies an infringement of the GDPR in the context of the finding of an abuse of a dominant position, it does not replace the supervisory authorities.
Thus, in the light of the principle of sincere cooperation, when competition authorities are called upon, in the exercise of their powers, to examine whether an undertaking’s conduct is consistent with the provisions of the GDPR, they are required to consult and cooperate sincerely with the national supervisory authorities concerned or with the lead supervisory authority. All of these authorities are then bound to observe their respective powers and competences, in such a way as to ensure that the obligations arising from the GDPR and the objectives of that regulation are complied with while their effectiveness is safeguarded. It follows that, where, in the context of the examination seeking to establish whether there is an abuse of a dominant position by an undertaking, a competition authority takes the view that it is necessary to examine whether that undertaking’s conduct is consistent with the provisions of the GDPR, that authority must ascertain whether that conduct or similar conduct has already been the subject of a decision by the competent national supervisory authority or the lead supervisory authority or the Court. If that is the case, the competition authority cannot depart from it, although it remains free to draw its own conclusions from the point of view of the application of competition law.
Where it has doubts as to the scope of the assessment carried out by the competent national supervisory authority or the lead supervisory authority, where the conduct in question or similar conduct is, simultaneously, under examination by those authorities, or where, in the absence of investigation by those authorities, it takes the view that an undertaking’s conduct is not consistent with the provisions of the GDPR, the competition authority must consult these authorities and seek their cooperation in order to dispel its doubts or to determine whether it must wait for the supervisory authority concerned to take a decision before starting its own assessment. In the absence of any objection from them or of a reply within a reasonable time, the competition authority may continue its own investigation.
In the second place, with regard to the processing of special categories of personal data, (6) the Court finds that, where the user of an online social network visits websites or apps to which one or more of those categories relate and, as the case may be, enters information into them when registering or when placing online orders, the processing of personal data by the operator of that online social network (7) must be regarded as ‘processing of special categories of personal data’ within the meaning of Article 9(1) of the GDPR, where it allows information falling within one of those special categories to be revealed, irrespective of whether that information concerns a user of that network or any other natural person. Such data processing is in principle prohibited, subject to certain derogations. (8)
In the latter regard, the Court states that, where the user of an online social network visits websites or apps to which one or more of those special categories relate, the user does not manifestly make public (9) the data relating to those visits collected by the operator of that online social network via cookies or similar storage technologies. Moreover, where he or she enters information into such websites or apps or where he or she clicks or taps on buttons integrated into those sites and apps, such as the ‘Like’ or ‘Share’ buttons or buttons enabling the user to identify himself or herself on those sites or apps using login credentials linked to his or her social network user account, his or her telephone number or email address, that user manifestly makes public the data thus entered or resulting from the clicking or tapping on those buttons only in the circumstance where he or she has explicitly made the choice beforehand, as the case may be on the basis of individual settings selected with full knowledge of the facts, to make the data relating to him or her publicly accessible to an unlimited number of persons.
In the third place, as regards more generally the conditions for the lawful processing of personal data, the Court recalls that, under the GDPR, data processing is lawful if and to the extent that the data subject has given consent for one or more specific purposes. (10) In the absence of such a consent, or where that consent was not freely given, specific, informed and unambiguous, such processing is nevertheless justified if it meets one of the requirements of necessity, (11) which must be interpreted strictly. The processing of the personal data of its users by the operator of an online social network can be regarded as necessary for the performance of a contract to which those users are party only on condition that the processing is objectively indispensable for a purpose that is integral to the contractual obligation intended for those users, such that the main subject matter of the contract cannot be achieved if that processing does not occur.
In addition, according to the Court, the data processing at issue can be regarded as necessary for the purposes of the legitimate interests pursued by the controller or by a third party only on condition that the operator has informed the users from whom the data have been collected of a legitimate interest that is pursued by the data processing, that such processing is carried out only in so far as is strictly necessary for the purposes of that legitimate interest and that it is apparent from a balancing of the opposing interests, having regard to all the relevant circumstances, that the interests or fundamental freedoms and rights of those users do not override that legitimate interest of the controller or of a third party. The Court finds, inter alia, that in the absence of consent on their part, the interests and fundamental rights of those users override the interest of the operator of an online social network in personalised advertising through which it finances its activity.
Last, the Court specifies that the processing of personal data at issue is justified where it is actually necessary for compliance with a legal obligation to which the controller is subject, pursuant to a provision of EU law or the law of the Member State concerned, where that legal basis meets an objective of public interest and is proportionate to the legitimate aim pursued and where that processing is carried out only in so far as is strictly necessary.
In the fourth and last place, as regards the validity of the consent of the users concerned to the processing of their data under the GDPR, the Court holds that the fact that the operator of an online social network holds a dominant position on the market for online social networks does not, as such, preclude the users of such a network from being able validly to consent to the processing of their personal data by that operator. However, since that position is liable to affect the freedom of choice of those users and to create a clear imbalance between them and the controller, it is an important factor in determining whether the consent was in fact validly and, in particular, freely given, which it is for that operator to prove. (12)
In particular, the users of the social network in question must be free to refuse individually, in the context of the contractual process, to give their consent to particular data processing operations not necessary for the performance of the contract, without being obliged to refrain entirely from using that online social network, which means that those users are to be offered, if necessary for an appropriate fee, an equivalent alternative not accompanied by such data processing operations. Moreover, it must be possible to give separate consent for the processing of off-Facebook data.