A National Competition Authority Can Find a Violation of the GDPR in the Context of Examining Abuse of the Dominant Position

According to the Court of Justice of the European Union's (“Court of Justice”) decision on Meta Platforms and Others, case C-252/21 of 4 July 2023, a national competition authority can find a violation of the General Data Protection Regulation (“GDPR”) in the context of examining the abuse of dominant position. In the Court's view, subject to the obligation of sincere cooperation, it should nevertheless take into account any decision or investigation taken by the competent supervisory authority under that regulation.

Meta Platforms Ireland operates the online social network Facebook within the European Union. When users sign up for Facebook, they accept the company's general terms and data policies. According to these policies, Meta Platforms Ireland collects data on user activities on and off the social network, linking them to the user's Facebook accounts. This data, known as "off-Facebook data," includes information about visits to third-party websites and apps, as well as the use of other online services owned by the Meta group (including Instagram and WhatsApp). The collected data is used, among other things, to create personalized advertisements for Facebook users.

The German Federal Cartel Office (“Bundeskartelamt”) has prohibited Meta Platforms Ireland from processing the off-Facebook data of private users in Germany without their consent. This decision was made due to the violation of the GDPR and the abuse of Meta's dominant position in the German market for online social networks. In summary, Facebook's use of user data without explicit consent has been deemed illegal by the German authorities.

According to the Court of Justice, when investigating an abuse of a dominant position, the competition authority may also need to assess compliance with rules beyond competition law, such as the GDPR. However, if a GDPR infringement is identified, the national competition authority does not replace the supervisory authorities established by the GDPR. The sole purpose of assessing GDPR compliance is to establish an abuse of a dominant position and take measures based on competition law to end that abuse.

To ensure consistent application of the GDPR, national competition authorities must engage in sincere consultation and cooperation with the regulatory authorities overseeing GDPR. When a national competition authority needs to assess whether a company's conduct aligns with the GDPR, it must check if similar conduct has been addressed in a decision by the competent supervisory authority or the Court. If such a decision exists, the competition authority cannot deviate from it, but it is still free to draw its own conclusions within the scope of competition law.

The Court notes that Meta Platforms Ireland's data processing may involve sensitive categories of data prohibited by the GDPR. It emphasizes that a mere visit to websites or apps does not make user data public. The Court also doubts whether the processing is justified for contract performance or personalized advertising without the data subject's consent. Ultimately, the national court will determine if the data collected reveals sensitive information and assess the lawfulness of Meta Platforms Ireland's processing activities.

The Court states that the dominant position of an online social network operator does not automatically invalidate the validity of users' consent to personal data processing under the GDPR. However, the dominant position can impact users' freedom of choice and create an imbalance between them and the data controller. This factor is significant in determining the validity and freedom of the given consent, and it is the responsibility of the operator to demonstrate that the consent was validly and freely given.

You can access the full text of the press release here.

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr