In a decision dated February 6, 2019, the German Federal Cartel Office (Bundeskartellamt, BKartA) had prohibited Meta, then Facebook, from linking data from services such as WhatsApp and Instagram with the user account at Facebook unless the users had voluntarily consented to this. It also said that a collection and association of data from third-party websites is only permissible with voluntary consent. In this context, questions were submitted to the ECJ on which the Advocate General delivered his Opinion on September 20, 2022 (Case 252/21)..
The BKartA had essentially argued at the time,
- Meta has a strong position in the social networking market. Dominant position, and
- the merging of data could Exploitation Abuse represent.
- According to the Bundeskartellamt’s interpretation, the yardstick for such an abuse was compliance with the GDPR.
For this we have reported.
Meta had challenged the BKartA’s order before the Düsseldorf Higher Regional Court (OLG Düsseldorf), and the OLG had expressed “serious doubts about the legality of these antitrust authority orders” when considering the application for the suspensive effect of the appeal (Decision of 26.08.2019 – Kart 1/19 (V)). In particular, the required causality between the data processing in question and the market power was not to be measured against the GDPR, but against antitrust principles:
… Facebook is accused not only of a violation of data protection law, but also of a violation of antitrust law […]. It is therefore irrelevant – contrary to the view of the Bundeskartellamt – whether (1.) the consent required from users when registering for Facebook’s social network meets the requirements of voluntary consent to the processing of personal data within the meaning of Art. 4 No. 11, 6 (1) sentence 1 a DSGVO, […].
In the further proceedings, the OLG had asked the ECJ some questions
- in connection with the cognition of the member state antitrust authorities, but also
- the notions of special categories of personal data within the meaning of Article 9(1) of the GDPR and
- of “obvious public disclosure” according to Art. 9 (2) lit. e DSGVO and
- the legitimate interest (Art. 6 para. 1 lit. f DSGVO)
The Advocate General states or takes the following position in this regard, inter alia:
- The BKartA Was allowed to consider the incompatibility of the conduct with the GDPR when examining the abuse of a dominant position. The BKartA is only not allowed to determine a breach of the GDPR instead of a data protection authority or to sanction it, but it is allowed to take into account incidentally whether a breach of the GDPR has occurred. However, the competition authority must inform the competent data protection authority, and if a data protection supervisory authority has interpreted a provision of the GDPR, a competition authority may, however, in principle not deviate from this interpretation. In case of doubt, it should consult with the competent or national supervisory authority.
- At Concept of special categories of personal data no distinction should be made between personal data that are sensitive because they “reveal” a specific situation and those that are sensitive by nature (despite the “somewhat obscure wording” of Art. 9(1)(a) GDPR – this is probably the reaction of a reader outside the data protection bubble). This was already the direction taken by the ECJ in Rs. C‑184/20.
- Meta does not necessarily process particularly sensitive data as soon as information about the call to a sensitive website is collected. Meta had then also represented, such a processing is only present if users according to appropriate criteria categorized be
This would only be the case if the users were categorized on the basis of these data. Therefore, the data that are the subject of the disputed practice would only fall under the protection of Article 9(1) GDPR if they relate to one of the categories covered by that protection and are subjectively processed in full knowledge of the facts and with the intention of deriving those categories of information.
The BKartA, on the other hand, had taken the view that the fact of calling up a certain website or using a certain app, the main subject matter of which falls within an area pursuant to Art. 9 (1) GDPR, already constitutes personal data worthy of special protection. The GA, on the other hand, believes that the decisive factor for Art. 9 GDPR is,
whether the data processed allow enable, [individually or aggregated] a User profile with regard to the categories resulting from the enumeration of sensitive personal data contained in this provision.
In contrast, it was not necessary for the controller to process this data with the aim of deriving special categories of information – it was sufficient if the corresponding danger objectively existed.
- The processing of special categories of personal data is permissible, among other things, if the data subject has provided them Obviously public (Art. 9(2)(e) GDPR; note: actually, this is wrong, then only the prohibition of para. 1 is lifted, the legal basis itself then lies in Art. 6(1)(f) GDPR). However, according to the GA, this happens in any case not already by the fact that a user calls up a website or uses an app. Even if a user shares sensitive personal data with third parties via a website or app, he discloses it only to a defined group of people and not to the general public.
- Consent within the meaning of Article 9 (2) (a) of the GDPR is not deemed to exist in the following cases Cookies consent. Here the user consents to tracking, but not the processing of sensitive data.
- A Justification by contractual necessity The consent within the meaning of Article 6 (2) (b) of the GDPR cannot be achieved by including corresponding provisions in the general terms and conditions. In order to prevent circumvention of consent, one would have to be strict here. What would be required is a objective Necessity of the contract. Personalization of content could also be in the interest of users, but only if it is necessary and in line with user expectations. This is questionable if data from external sources is also used for personalization.
- A legitimate interest of meta – outside of sensitive data – would have to be examined on a case-by-case basis. Again, it was questionable whether such an interest could exist if data from third-party sources were used. In any case, the processing would have to be justified for the legitimate interest of the data subject.
be limited to what is absolutely necessary. Therefore, a close link between the processing and the perceived interest exist if there are no alternatives less prejudicial to the protection of personal data, because it is not sufficient that the processing is merely useful for the controller.
In the case of personalization, the question is whether the use of third-party sources is really necessary and “what ‘degree of personalization’ of advertising is objectively required in this regard.” Also with regard to the interest of Network security whether third-party data is required, and in the case of the Product improvement it was all the more questionable that it constituted a legitimate interest.
- At the Voluntariness of consent Finally, Meta’s market power had to be taken into account – in other words, the opposite approach of the BKartA:
… I am of the opinion that a possible dominant position of the controller of personal data operating a social network, plays a role in assessing whether there is voluntary consent of the user of this network. Indeed, the existence of market power of the controller of personal data may lead to a manifest imbalance of power in the sense described in point 74 of the present Opinion. However, it must be clarified that, on the one hand, such market power, in order to be relevant for the application of the GDPR, does not necessarily meet the threshold of a dominant position. within the meaning of Art. 102 TFEU and, secondly, that this circumstance alone does not require consent. not fundamentally deprive any validity can.