Close

Your shopping cart is empty

Meta (Facebook) and personalised advertising: What you should know about the recent ruling of the European Court of Justice (ECJ, judgment of 04.07.2023, C-252/21)

In the current ruling on Meta Platforms (formerly Facebook), the European Court of Justice uses clear language to clarify the interpretation of the legal basis of the GDPR and the area of personalised online marketing.

The ruling is particularly exciting as the ECJ makes clear statements on the jurisdiction for orders and violations of data protection law and their enforcement.

How did the preliminary ruling before the ECJ in the case “Bundeskartellamt versus Meta Platforms Inc., Meta Platforms Ireland Ltd. and Facebook Deutschland GmbH” come about?

In February 2019, the German Federal Cartel Office issued an order prohibiting the Meta Group from collecting its users’ data.

In this decision, the Bundeskartellamt prohibited ” […] to make the use of the Facebook social network dependent on the processing of users’ off-Facebook data and to process this data without their consent on the basis of the General Terms of Use in force at the time.” In short, Meta should not be allowed to generate data that is collected via third-party websites and apps through Facebook and their APIs or “like” information.

In addition, the Federal Cartel Office obliges the company to adjust its terms of use. These should then clearly state that the data in question may not be collected and linked to the relevant user accounts without the user’s consent. Consent that is a condition for using the social network is invalid, according to the Federal Cartel Office.

Meta then took action against this order in summary and main proceedings. While the Higher Regional Court overturned the injunction in summary proceedings, the Federal Court of Justice confirmed the injunction in the subsequent appeal proceedings of the Federal Cartel Office and rejected Meta’s urgent appeal.

In the ongoing main proceedings, the Düsseldorf Higher Regional Court was unsure about some legal questions of European law and referred these to the ECJ for a ruling as part of a referral procedure.

Simply explained: “What is a referral procedure and what is decided there?”

In a referral procedure, preliminary rulings can be obtained from the European Court of Justice. A national court can request a preliminary ruling from the ECJ if the issue is relevant to the legal dispute. This must involve the interpretation and application of European law – in this case the GDPR.

In order to prevent divergent interpretation and application of EU law by the courts of the European member states, the preliminary ruling procedure serves to ensure the legal unity of the EU. The resulting decision of the ECJ – for example on the GDPR – is then binding for all national courts and authorities on the disputed issue.

What questions have been referred to the European Court of Justice?

The Higher Regional Court referred seven questions to the European Court of Justice, which can be summarised thematically as the following four key questions:

  • Responsibility of the authorities

Can the Bundeskartellamt, as a competition authority, examine law that concerns the processing of personal data and thus the scope of application of the GDPR, or is this competence reserved exclusively for the data protection authorities?

  • “Publicly accessible” data

To what extent are sensitive data within the meaning of Article 9 para. 1 of the GDPR (such as political interests, religious affiliation, health information or sexual preferences) as “publicly available” if, for example, the user discloses their consent by clicking “Like” on a Facebook page? And what powers does the operator of online social networks have with regard to the use of such data?

  • The legal basis

What is the legal basis on which social network operators can and may process the personal data of the users concerned?

  • The effectiveness of consent

Can consent to the processing of sensitive data be effectively given by the user if the company obtaining the consent has a dominant market position?

What did the European Court of Justice answer to the questions in the referral procedure?

Question 1: Is the Federal Cartel Office, as the competition authority, entitled to review the GDPR?

The ECJ clearly affirms that the Federal Cartel Office is entitled to examine the provisions of data protection law. This also applies if the Federal Cartel Office takes the GDPR into account as part of an abuse of dominant market power.

The tasks of the supervisory and antitrust authorities differ considerably. While the supervisory authorities are responsible for monitoring and enforcing the GDPR (Art. 51 et seq. GDPR), the antitrust authorities aim to protect the market, including consumer interests. To this end, they check whether certain companies may have a dominant market position and may be abusing it.

The business model of social networks is based on the broadest possible processing of user data to which a monetary value can be attached. They use their processing for profit-making purposes. This creates an interface between data protection law and competition law. Especially as data processing has become a key factor in Meta’s market position.

The European Court of Justice is of the clear opinion that there is no blocking effect between claims from the legal areas of competition law, consumer protection law and data protection law. These three pillars may be applied in parallel as long as the antitrust authorities remain within the framework of the law laid down by the ECJ and essentially follow the views of the data protection authorities.

This calls for cooperation between the individual authorities. The authorities undertake to coordinate with each other. If there is no response from the authority questioned within a certain period of time, the Bundeskartellamt may continue the investigation on its own.

Question 2: Is sensitive data automatically considered “publicly accessible” by using the social network?

The ECJ answers this question in the negative. The data is not considered to be publicly accessible.

If the user provides data in apps or on websites that have an API to Facebook, this data is not considered to have been made publicly available within the meaning of Art. 9 para. 2 e) GDPR. This means that this data may not be further processed by the operator of the social network. Even clicking on the “Like” sign does not express such a general publication.

Only if the user has the opportunity to express in a transparent and unambiguous manner that he agrees to the use of his data, then the operator is also authorised to use it.

Question 3: What legal basis can operators of online networks rely on to process users’ personal data?

Art. 6 of the GDPR provides several legal bases to justify the processing of personal data.

Contract fulfillment as the legal basis (Art. 6 I b) GDPR)

Art. 6 I b) GDPR provides that the processing of personal data is possible in the event that it is “objectively necessary” for the performance of the contract. It cannot be denied that personal data is required to guarantee the functionality of a social network. In any case, Meta argues that personal data is essential to optimise the personalisation of user profiles in order to meet the interests of users. Such personalisation – in the eyes of the ECJ – is not necessary, at least not “objectively indispensable” within the meaning of the GDPR.

Consequently, the ECJ clearly states that Meta cannot base the personalisation of the user profile and its (advertising) content on the legal basis of contract performance.

The legitimate interest as a legal basis (Art. 6 1 f) GDPR)

If the controller has a legitimate interest, this must meet two further requirements in order to serve as a legal basis:

1. The processing of the data must be necessary to realise the interest

2. No fundamental rights and freedoms of users worthy of protection may outweigh the legitimate interest.

The ECJ weighs up various interests of Meta, including ensuring network security, personalisation of advertising and product improvement could constitute a potential legitimate interest.

The ECJ is particularly certain with regard to ensuring network security and product improvement: such an interest justified a comprehensive obligation to provide evidence for Meta in the course of its extraordinary dominant market position. The way in which Facebook makes use of comprehensive data processing, in particular from external sources, therefore strongly argues against justification within the scope of legitimate interest when weighing up the interests of users.

In addition, the ECJ emphasises that the user of the social network does not have to expect that their personal data will be used on a large scale for personalisation purposes. This shows that the protection of the user prevails.

The protection of a vital interest as a legal basis (Art. 6 I d) GDPR)

This Article is aimed at protecting vital interests and performing a task carried out in the public interest or in the exercise of official authority.

In its recital, the ECJ mentions, for example, humanitarian purposes and their spread or humanitarian emergencies such as natural disasters as a legitimate vital interest that could fall within the scope of the article.

From the required narrow interpretation of this sub-case as a legal basis, it is clear from the tone of the ECJ’s judgment that such a vital interest does not exist in the disputed case. The ECJ therefore emphasises once again that Meta, as a private company, does not take on any tasks that are in the public interest in an abstract manner or consist of the exercise of official authority.

Question 4: Can consent to the processing of sensitive data be effectively given by the user if the company obtaining the consent has a dominant market position?

Meta could be entitled to process the (sensitive) data of its users if there is consent from the user (Art. 6 I 1) GDPR). This is possible even if the company has a dominant market position.

However, according to the provisions of the GDPR, this consent must be voluntary.

In its ruling, the ECJ primarily discussed the voluntary component of consent. According to the wording of the court, consent to processing can only be effective if it has been given voluntarily, in an informed, unambiguous and explicit manner . In this case, it must be particularly clear that a distinction can be made between the data generated on the social network and the off-Facebook data when the user gives consent.

It should also be noted that the user’s freedom of choice may be impaired if the user is not given the opportunity to refuse or withdraw their consent without suffering any disadvantages, especially if they are denied access to the platform.

When can a final judgment be expected?

The oral hearing before the ECJ took place on May 10, 2023. The Advocate General’s opinion is expected at the end of September. A ruling can therefore be expected towards the end of the 2023 calendar year.

Conclusion:

In its ruling, the ECJ provided many explanations on the application, jurisdiction and interpretation of data protection law. In principle, it has maintained its interpretation of the GDPR regulations. However, with this ruling, the ECJ has made it clear that the competition and data protection authorities should cooperate and not compete in order to ensure continuity in the monitoring of the GDPR. In addition, the European Court of Justice has adopted a narrower interpretation of Art. 6 GDPR in order to limit the cases of application and restrict the abuse of the legal bases of large data processing companies.

In diesem Artikel