A national competition authority can find, in the context of the examination of an abuse of a dominant position, that the GDPR has been infringed (ECJ)

According to Judgment of the European Court of Justice in Case C-252/21 (Meta Platforms and Others), a national competition authority can find, in the context of the examination of an abuse of a dominant position, that the GDPR has been infringed.

Bound by the duty of sincere cooperation, it must nonetheless take into consideration any decision or investigation by the competent supervisory authority pursuant to that regulation.

Meta Platforms Ireland operates the online social network Facebook within the European Union. When they register with Facebook, its users accept the general terms drawn up by that company and, consequently, the data and cookies policies. According to those policies, Meta Platforms Ireland collects data about user activities on and off the social network and links them with the Facebook accounts of the users concerned. The latter data, also known as ‘off-Facebook data’, are data concerning visits to third-party webpages and apps as well as data concerning the use of other online services belonging to the Meta group (including Instagram and WhatsApp). The data thus collected serve, inter alia, to create personalised advertising messages for Facebook users.

The German Federal Cartel Office prohibited, in particular, the use of the social network Facebook by private users resident in Germany from being subject, in the general terms, to the processing of their off-Facebook data and those data from being processed without their consent. It based its decision on the fact that since that processing was not consistent with the General Data Protection Regulation (GDPR),[1] it constituted an abuse of that Meta Platforms Ireland’s dominant position on the German market for online social networks.

Hearing an action brought against that decision, the Higher Regional Court, Düsseldorf, asks the Court of Justice whether the national competition authorities may review whether a data processing operation complies with the requirements set out in the GDPR. In addition, the German court refers questions to the Court of Justice about the interpretation and the application of certain provisions of the GDPR to the processing of data by the operator of an online social network.

In its judgment, the Court of Justice states that, in the context of the examination of an abuse of a dominant position by an undertaking, it may be necessary for the competition authority of the Member State concerned also to examine whether that undertaking’s conduct complies with rules other than those relating to competition law, such as the rules laid down by the GDPR.

However, where the national competition authority identifies an infringement of the GDPR, it does not replace the supervisory authorities established by that regulation. The sole purpose of the assessment of compliance with the GDPR is merely to establish an abuse of a dominant position and impose measures to put an end to that abuse on a legal basis derived from competition law. In order to ensure the consistent application of the GDPR, the national competition authorities are required to consult and cooperate sincerely with the authorities monitoring the application of that regulation. 

In particular, where the national competition authority takes the view that it is necessary to examine whether an undertaking’s conduct is consistent with the GDPR, it must ascertain whether that conduct or similar conduct has already been the subject of a decision by the competent supervisory authority or the Court. If that is the case, it cannot depart from it, although it remains free to draw its own conclusions from the point of view of the application of competition law.

Furthermore, the Court observes that the data processing operation carried out by Meta Platforms Ireland appears also to concern special categories of data that may reveal, inter alia, racial or ethnic origin, political opinions, religious beliefs or sexual orientation, and the processing of which is in principle prohibited by the GDPR. It will be for the national court to determine whether some of the data collected may actually allow such information to be revealed, irrespective of whether that information concerns a user of that social network or any other natural person. As to whether the processing of such ‘sensitive’ data is exceptionally permitted due to the fact that they were manifestly made public by the data subject, the Court clarifies that the mere fact that a user visits websites or apps that may reveal such information does not in any way mean that the user manifestly makes public his or her data, within the meaning of the GDPR.

In addition, the same applies where a user enters information into such websites or apps or where he or she clicks or taps on buttons integrated into them, unless he or she has explicitly made the choice beforehand to make the data relating to him or her publicly accessible to an unlimited number of persons. As regards more generally the processing operation carried out by Meta Platforms Ireland, including the processing of ‘non-sensitive’ data, the Court examines next whether this is covered by the justifications, set out in the GDPR, allowing the processing of data carried out in the absence of the data subject’s consent to be made lawful.

In that context, it finds that the need for the performance of the contract to which the data subject is party may justify the practice at issue only on condition that the data processing is objectively indispensable such that the main subject matter of the contract cannot be achieved if the processing in question does not occur. Subject to verification by the national court, the Court of Justice expresses doubts as to whether personalised content or the consistent and seamless use of the Meta group’s own services are capable of fulfilling those criteria.

Moreover, according to the Court, the personalised advertising by which the online social network Facebook finances its activity, cannot justify, as a legitimate interest pursued by Meta Platforms Ireland, the processing of the data at issue, in the absence of the data subject’s consent.

Lastly, the Court notes that the fact that the operator of an online social network, as controller, holds a dominant position on the social network market does not, as such, prevent its users from validly giving their consent, within the meaning of the GDPR, to the processing of their personal data by that operator. However, since that position is liable to affect the freedom of choice of those users and create a clear imbalance between them and the data controller, it constitutes an important factor in determining whether the consent was in fact validly and, in particular, freely given. This is for the operator to prove. (source: curia.europa.eu/ photo: freepik.com)

Judgment is available here

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1).

Comments

Post a Comment

Editorial

Editorial
George Kazoleas, Lawyer

Top Stories

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Image
The European Ombudsman inquiry into the Commission’s handling of a request for text messages between its President and the CEO of a pharmaceutical company is a wake-up call for all EU institutions about ensuring accountability in an era of instant messaging. One year after the initial request by a journalist, the Commission has still not clarified whether messages reported to concern major vaccine procurement deals exist and whether the public is entitled to see them. The Ombudsman had asked the Commission, in a finding of maladministration in January, to conduct a more thorough search for the text messages. The Commission’s recent response failed to say whether it had looked directly and correctly for the text messages and if not, why not. While the response recognised that work-related text messages can be EU documents, it reiterated that the Commission’s internal policy is, in effect, not to register text messages. The Ombudsman has closed  the inquiry  and upheld...
Read more

Daily Mail publisher wins case against ‘success fees’ paid to lawyers (ECtHR)

Image
Obligation on publisher of the Daily Mail to pay substantial “success fees" in defamation and breach of privacy cases was excessive. The case Associated Newspapers Limited v. the United Kingdom (application no. 37398/21) concerned the fact that Associated Newspapers Limited the publisher of the Daily Mail and the Mail on Sunday had been obliged to pay extensive costs incurred by claimants who had successfully sued it in privacy and/or defamation proceedings following articles it had published in print or online in 2017 and 2019.  Since one of the claimants had entered into a conditional fee arrangement (CFA) with his legal representative, and both had taken out “after-the-event” (ATE) insurance, Associated Newspapers Limited had been liable not only for their base costs, but also for fee uplifts including the “success fee” in the CFA and for their ATE insurance premiums.  In Chamber judgment (12.11.2024) in the case, the European Court of Human Rights held, unanimously, that t...
Read more

ECtHR elects a new Vice-President of the Court and two new Section Presidents

Image
The European Court of Human Rights has elected on 23.9.2024 a new Vice-President of the Court – Judge Ivana Jelić (elected in respect of Montenegro). She will take up her duties on 1 November 2024.  The Court has also elected at the same date two new Section Presidents – Judges Lado Chanturia (elected in respect of Georgia) and Ioannis Ktistakis (elected in respect of Greece). They will also take up their duties on 1 November 2024. Ivana Jelić was born on 17 March 1975 in Podgorica, Montenegro and was elected Judge of the European Court of Human Rights on 12 July 2018. Lado Chanturia was born on 14 April 1963 in Tsalenjikha, Georgia, was elected Judge of the European Court of Human Rights on 8 January 2018 and is Vice-President of Section since 18 May 2023. Ioannis Ktistakis was born on 3 January 1971 in Thebes, Greece and was elected Judge of the European Court of Human Rights on 8 March 2021. (source/photo: echr.coe.int) Read more here
Read more

Intellectual property: the figurative sign consisting of the phrase ‘RUSSIAN WARSHIP, GO F* *K yourself’ in Russian and English cannot be registered as an EU trade mark

Image
In its Judgment in Case T-82/24 (Administration of the State Border Guard Service of Ukraine v EUIPO) (RUSSIAN WARSHIP, GO F**K YOURSELF) the General Court ruled that the figurative sign consisting of the phrase ‘RUSSIAN WARSHIP, GO F* *K yourself’ in Russian and English cannot be registered as an EU trade mark. That phrase, which has become a symbol of Ukraine’s fight against Russian aggression, is not perceived as an indication of a commercial origin.  The Administration of the State Border Guard Service of Ukraine (Kyiv, Ukraine) requests the General Court of the European Union to annul the decision of the European Union Intellectual Property Office (EUIPO) of 1 st December 2023, which refused registration of the following figurative sign as an EU trade mark: ‘RUSSIAN WARSHIP, GO F* *K yourself’ That mark is a war cry uttered by the Ukrainian border guard on Snake Island on 24th February 2022, the first day of the full-scale Russian invasion of Ukraine. Registration was sou...
Read more

The banks Crédit agricole and Credit Suisse participated in a cartel in the sector for suprasovereign bonds, sovereign bonds and public agency bonds denominated in US dollars

Image
According to the Judgment of the General Court in Cases T-386/21 (Crédit agricole and Crédit agricole Corporate and Investment Bank v Commission) and T-406/21 (UBS Group and Credit Suisse Securities (Europe) v Commission), the banks Crédit agricole and Credit Suisse participated in a cartel in the sector for suprasovereign bonds, sovereign bonds and public agency bonds denominated in US dollars (‘SSA Bonds’).  The General Court of the European Union confirms the Commission’s finding of an infringement and maintains the amount of the fines imposed in 2021. In 2018, the European Commission initiated proceedings for infringement of the competition rules involving Deutsche Bank, Bank of America, Crédit agricole and Credit Suisse (now UBS Group [1] ).  In 2021, the Commission found that those banks had entered into an agreement on the secondary market for suprasovereign, sovereign and agency bonds denominated in dollars (SSA bonds). According to the Commission, traders employed by ...
Read more

European Ombudsman asks Commission to publish details of its handling of senior staff move to law firm

Image
The European Ombudsman has asked the European Commission to publish details about how it has handled the planned move by a former director in its competition department to the Brussels office of a US corporate law firm as a partner. Any restrictions that have been placed on the activities of the former director to mitigate potential conflicts of interest should be made public without delay, said the Ombudsman. She noted that public information about the move came from the law firm and gives the impression that the Commission has allowed a senior official to work for a company that anticipates major benefits from their inside knowledge.  The Ombudsman also noted that the Commission declined to give details about the individual’s professional experience despite the fact that the law firm itself has put out a press release detailing it. The Ombudsman has previously criticised a tendency in the EU administration to underestimate the potential negative effects of staff moves to th...
Read more

A national court is not required to apply a decision of its constitutional court that infringes EU law (ECJ)

Image
In its Judgment of 26.9.2024 in Case C-792/22 (Energotehnica) the Court of Justice ruled as regards the right to an effective remedy that a national court is not required to apply a decision of its constitutional court that infringes EU law. In such a case, the national court may not be penalised.  Following the death of an electrician by electrocution during a maintenance operation, an administrative procedure was initiated against his employer. At the same time, criminal proceedings for negligence and manslaughter were initiated against the supervisor. The victim’s next of kin also became civil parties to the criminal proceedings.  The administrative court hearing the dispute concluded that the present case did not involve an ‘accident at work’. It annulled the administrative penalties imposed on the employer. According to national legislation, as interpreted by the Romanian Constitutional Court, that administrative decision prevents the criminal court from reconsidering whe...
Read more