Cases. C‑252/21, BKar­tA vs. Meta: Opi­ni­on of the GA; Cogni­ti­on of the BKar­tA; Noti­on of spe­cial cate­go­ries of per­so­nal data; Making public.

In a decis­i­on dated Febru­ary 6, 2019, the Ger­man Fede­ral Car­tel Office (Bun­des­kar­tell­amt, BKar­tA) had pro­hi­bi­ted Meta, then Face­book, from lin­king data from ser­vices such as Whats­App and Insta­gram with the user account at Face­book unless the users had vol­un­t­a­ri­ly con­sen­ted to this. It also said that a coll­ec­tion and asso­cia­ti­on of data from third-par­ty web­sites is only per­mis­si­ble with vol­un­t­a­ry con­sent. In this con­text, que­sti­ons were sub­mit­ted to the ECJ on which the Advo­ca­te Gene­ral deli­ver­ed his Opi­ni­on on Sep­tem­ber 20, 2022 (Case 252/21)..

The BKar­tA had essen­ti­al­ly argued at the time,

• Meta has a strong posi­ti­on in the social net­wor­king mar­ket. Domi­nant posi­ti­on, and
• the mer­ging of data could Explo­ita­ti­on Abu­se represent.
• Accor­ding to the Bundeskartellamt’s inter­pre­ta­ti­on, the yard­stick for such an abu­se was com­pli­ance with the GDPR.

For this we have repor­ted.

Meta had chal­len­ged the BKartA’s order befo­re the Düs­sel­dorf Hig­her Regio­nal Court (OLG Düs­sel­dorf), and the OLG had expres­sed “serious doubts about the lega­li­ty of the­se anti­trust aut­ho­ri­ty orders” when con­side­ring the appli­ca­ti­on for the sus­pen­si­ve effect of the appeal (Decis­i­on of 26.08.2019 – Kart 1/19 (V)). In par­ti­cu­lar, the requi­red cau­sa­li­ty bet­ween the data pro­ce­s­sing in que­sti­on and the mar­ket power was not to be mea­su­red against the GDPR, but against anti­trust principles:

… Face­book is accu­sed not only of a vio­la­ti­on of data pro­tec­tion law, but also of a vio­la­ti­on of anti­trust law […]. It is the­r­e­fo­re irrele­vant – con­tra­ry to the view of the Bun­des­kar­tell­amt – whe­ther (1.) the con­sent requi­red from users when regi­stering for Facebook’s social net­work meets the requi­re­ments of vol­un­t­a­ry con­sent to the pro­ce­s­sing of per­so­nal data within the mea­ning of Art. 4 No. 11, 6 (1) sen­tence 1 a DSGVO, […].

The Bun­des­kar­tell­amt can­not be fol­lo­wed in its con­clu­si­on that Facebook’s data pro­tec­tion inf­rin­ge­ment under assess­ment could not be com­mit­ted “in this way” by com­pe­ti­tors wit­hout a domi­nant posi­ti­on […]. This approach falls short of the mark. For the beha­vi­oral cau­sa­li­ty, only the que­sti­on can be decisi­ve, Whe­ther the legal inf­rin­ge­ment alle­gedly imply­ing the abu­se – here: the coll­ec­tion, lin­king and use of the addi­tio­nal data pro­vi­ded for in the terms of use requi­ring con­sent – can be cau­sal­ly attri­bu­ted to mar­ket domi­nan­ce is. […]

In the fur­ther pro­ce­e­dings, the OLG had asked the ECJ some questions

• in con­nec­tion with the cogni­ti­on of the mem­ber sta­te anti­trust aut­ho­ri­ties, but also
• the noti­ons of spe­cial cate­go­ries of per­so­nal data within the mea­ning of Artic­le 9(1) of the GDPR and
• of “obvious public dis­clo­sure” accor­ding to Art. 9 (2) lit. e DSGVO and
• the legi­ti­ma­te inte­rest (Art. 6 para. 1 lit. f DSGVO)

sub­mit­ted.

The Advo­ca­te Gene­ral sta­tes or takes the fol­lo­wing posi­ti­on in this regard, inter alia:

• The BKar­tA Was allo­wed to con­sider the incom­pa­ti­bi­li­ty of the con­duct with the GDPR when exami­ning the abu­se of a domi­nant posi­ti­on. The BKar­tA is only not allo­wed to deter­mi­ne a breach of the GDPR instead of a data pro­tec­tion aut­ho­ri­ty or to sanc­tion it, but it is allo­wed to take into account inci­den­tal­ly whe­ther a breach of the GDPR has occur­red. Howe­ver, the com­pe­ti­ti­on aut­ho­ri­ty must inform the com­pe­tent data pro­tec­tion aut­ho­ri­ty, and if a data pro­tec­tion super­vi­so­ry aut­ho­ri­ty has inter­pre­ted a pro­vi­si­on of the GDPR, a com­pe­ti­ti­on aut­ho­ri­ty may, howe­ver, in prin­ci­ple not devia­te from this inter­pre­ta­ti­on. In case of doubt, it should con­sult with the com­pe­tent or natio­nal super­vi­so­ry authority.
• At Con­cept of spe­cial cate­go­ries of per­so­nal data no distinc­tion should be made bet­ween per­so­nal data that are sen­si­ti­ve becau­se they “reve­al” a spe­ci­fic situa­ti­on and tho­se that are sen­si­ti­ve by natu­re (despi­te the “some­what obscu­re wor­ding” of Art. 9(1)(a) GDPR – this is pro­ba­b­ly the reac­tion of a rea­der out­side the data pro­tec­tion bubble). This was alre­a­dy the direc­tion taken by the ECJ in Rs. C‑184/20.
• Meta does not neces­s­a­ri­ly pro­cess par­ti­cu­lar­ly sen­si­ti­ve data as soon as infor­ma­ti­on about the call to a sen­si­ti­ve web­site is coll­ec­ted. Meta had then also repre­sen­ted, such a pro­ce­s­sing is only pre­sent if users accor­ding to appro­pria­te cri­te­ria cate­go­ri­zed be
  

  This would only be the case if the users were cate­go­ri­zed on the basis of the­se data. The­r­e­fo­re, the data that are the sub­ject of the dis­pu­ted prac­ti­ce would only fall under the pro­tec­tion of Artic­le 9(1) GDPR if they rela­te to one of the cate­go­ries cover­ed by that pro­tec­tion and are sub­jec­tively pro­ce­s­sed in full know­ledge of the facts and with the inten­ti­on of deri­ving tho­se cate­go­ries of information.

  The BKar­tA, on the other hand, had taken the view that the fact of cal­ling up a cer­tain web­site or using a cer­tain app, the main sub­ject mat­ter of which falls within an area pur­su­ant to Art. 9 (1) GDPR, alre­a­dy con­sti­tu­tes per­so­nal data wort­hy of spe­cial pro­tec­tion. The GA, on the other hand, belie­ves that the decisi­ve fac­tor for Art. 9 GDPR is,

  whe­ther the data pro­ce­s­sed allow enable, [indi­vi­du­al­ly or aggre­ga­ted] a User pro­fi­le with regard to the cate­go­ries resul­ting from the enu­me­ra­ti­on of sen­si­ti­ve per­so­nal data con­tai­ned in this provision.

  In con­trast, it was not neces­sa­ry for the con­trol­ler to pro­cess this data with the aim of deri­ving spe­cial cate­go­ries of infor­ma­ti­on – it was suf­fi­ci­ent if the cor­re­spon­ding dan­ger objec­tively existed.

• The pro­ce­s­sing of spe­cial cate­go­ries of per­so­nal data is per­mis­si­ble, among other things, if the data sub­ject has pro­vi­ded them Obvious­ly public (Art. 9(2)(e) GDPR; note: actual­ly, this is wrong, then only the pro­hi­bi­ti­on of para. 1 is lifted, the legal basis its­elf then lies in Art. 6(1)(f) GDPR). Howe­ver, accor­ding to the GA, this hap­pens in any case not alre­a­dy by the fact that a user calls up a web­site or uses an app. Even if a user shares sen­si­ti­ve per­so­nal data with third par­ties via a web­site or app, he dis­c­lo­ses it only to a defi­ned group of peo­p­le and not to the gene­ral public.
• Con­sent within the mea­ning of Artic­le 9 (2) (a) of the GDPR is not dee­med to exist in the fol­lo­wing cases Coo­kies con­sent. Here the user cons­ents to track­ing, but not the pro­ce­s­sing of sen­si­ti­ve data.
• A Justi­fi­ca­ti­on by con­trac­tu­al neces­si­ty The con­sent within the mea­ning of Artic­le 6 (2) (b) of the GDPR can­not be achie­ved by inclu­ding cor­re­spon­ding pro­vi­si­ons in the gene­ral terms and con­di­ti­ons. In order to pre­vent cir­cum­ven­ti­on of con­sent, one would have to be strict here. What would be requi­red is a objec­ti­ve Neces­si­ty of the con­tract. Per­so­na­lizati­on of con­tent could also be in the inte­rest of users, but only if it is neces­sa­ry and in line with user expec­ta­ti­ons. This is que­stionable if data from exter­nal sources is also used for personalization.
• A legi­ti­ma­te inte­rest of meta – out­side of sen­si­ti­ve data – would have to be exami­ned on a case-by-case basis. Again, it was que­stionable whe­ther such an inte­rest could exist if data from third-par­ty sources were used. In any case, the pro­ce­s­sing would have to be justi­fi­ed for the legi­ti­ma­te inte­rest of the data subject.
  

  be limi­t­ed to what is abso­lut­e­ly neces­sa­ry. The­r­e­fo­re, a clo­se link bet­ween the pro­ce­s­sing and the per­cei­ved inte­rest exist if the­re are no alter­na­ti­ves less pre­ju­di­cial to the pro­tec­tion of per­so­nal data, becau­se it is not suf­fi­ci­ent that the pro­ce­s­sing is mere­ly useful for the controller.

  In the case of per­so­na­lizati­on, the que­sti­on is whe­ther the use of third-par­ty sources is real­ly neces­sa­ry and “what ‘degree of per­so­na­lizati­on’ of adver­ti­sing is objec­tively requi­red in this regard.” Also with regard to the inte­rest of Net­work secu­ri­ty whe­ther third-par­ty data is requi­red, and in the case of the Pro­duct impro­ve­ment it was all the more que­stionable that it con­sti­tu­ted a legi­ti­ma­te interest.

• At the Vol­un­t­a­ri­ness of con­sent Final­ly, Meta’s mar­ket power had to be taken into account – in other words, the oppo­si­te approach of the BKartA:
  

  … I am of the opi­ni­on that a pos­si­ble domi­nant posi­ti­on of the con­trol­ler of per­so­nal data ope­ra­ting a social net­work, plays a role in asses­sing whe­ther the­re is vol­un­t­a­ry con­sent of the user of this net­work. Inde­ed, the exi­stence of mar­ket power of the con­trol­ler of per­so­nal data may lead to a mani­fest imba­lan­ce of power in the sen­se descri­bed in point 74 of the pre­sent Opi­ni­on. Howe­ver, it must be cla­ri­fi­ed that, on the one hand, such mar­ket power, in order to be rele­vant for the appli­ca­ti­on of the GDPR, does not neces­s­a­ri­ly meet the thres­hold of a domi­nant posi­ti­on. within the mea­ning of Art. 102 TFEU and, second­ly, that this cir­cum­stance alo­ne does not requi­re con­sent. not fun­da­men­tal­ly depri­ve any vali­di­ty can.