In a landmark judgment issued on July 4, 2023, the European top court, the Court of Justice (ECJ), ruled that competition authorities in the EU can consider a company’s compliance with the EU’s data protection rules when assessing whether it abused its dominant position. In addition, the ECJ ruled on important General Data Protection Regulation (GDPR) clarifications on the legal bases for personalized advertising.

The judgment sets out how competition agencies should cooperate with data protection agencies when conducting competition investigations involving the consideration of whether a company’s data collection and processing practices comply with EU data protection rules.

Background

In 2019, the German Federal Cartel Office (FCO) found that Meta’s data policy requiring new Facebook users to provide consent to merge data from outside the platform amounted to an abuse of dominant position.¹ Users were not able to use Facebook’s services without having their data combined across services (i.e., this was a condition in the terms of use that each user had to accept to access the services). The FCO found that such intensive data processing should only be possible where the user explicitly consents to such use of their data.² Under the EU’s GDPR, consent to the processing of personal data must be separate from the agreement to terms and conditions (“not bundled”) in order for it to be valid. The FCO prohibited Meta from engaging in these data practices, deeming them a GDPR violation and an exploitative abuse of dominance under competition law. Meta sought to overturn the FCO’s decision in the Higher Regional Court of Düsseldorf, which subsequently referred questions to the ECJ to help it assess the case.

ECJ Judgment

Key Antitrust Implications

In its judgment, the ECJ confirmed that a competition authority, when assessing whether a company abused its dominant position, can examine whether the company’s conduct complies with other relevant regulations, such as the GDPR. While the ECJ judgment allows competition agencies to assess GDPR breaches as part of a competition investigation, these agencies are not compelled to do so. For example, in instances where privacy practices—and GDPR infringements in particular—are the only form of abuse assessed by a competition agency, the ECJ notes that it may be more appropriate for the issue to be resolved by a sectoral regulatory agency—e.g., a data protection authority (DPA). To ensure consistent application of the GDPR, the ECJ stresses that national competition agencies, when considering GDPR compliance as part of an abuse of dominance investigation, must “consult and cooperate sincerely” with their appropriate sectoral regulatory counterparts (such as DPAs) and consult DPAs as soon as there is a doubt as to the scope of GDPR provisions. Competition agencies should wait for DPAs to take action before proceeding on the basis of competition rules but can do so if they receive no objections or responses from the relevant DPA within a reasonable timeframe. If the conduct being assessed is already subject to a decision by a DPA or the ECJ, the competition agency cannot depart from it (but can come to its own conclusions from a competition law perspective). In this case, the FCO had engaged with the Irish and German DPAs, fulfilling its duty of cooperation.

Key Privacy Implications

• High threshold for personalized advertising based on legitimate interest. While the ECJ held that processing personal data to deliver personalized ads could in theory qualify as a legitimate interest, it found on the facts that Meta’s data processing activities did not satisfy the balancing test. The ECJ considered that Meta’s ad personalization activities could not fall within the “reasonable expectations” of Facebook users. The ECJ also considered that Meta’s collection of personal data was “particularly extensive” as it relates to “potentially unlimited data” and users may feel that their “private life is being continuously monitored.” On a related note, the ECJ also stressed that “particular attention” should be paid to the situation where data of children are processed for marketing and personalization purposes.
• The ECJ expresses doubts that the personalization of content provided to the user is strictly necessary to the contract. When assessing the possibility for Meta to rely on the performance of the contract with the user as a legal basis, the ECJ noted that while personalization of content is useful to the user, it “does not appear” to be necessary to offer the services of an online social network as such companies may provide users with an alternative version of the service without personalized content. In addition, the ECJ held that processing must be “objectively indispensable” for a purpose that is “integral to the contractual obligation.” According to the ECJ, the fact that the processing mentioned in the contract or merely useful for its performance is “irrelevant.”
• Strict interpretation of sensitive data. The ECJ considered that the (bulk) processing of a data set including both sensitive and nonsensitive data is already subject to the GDPR regulation for sensitive data if the data set contains only one sensitive data item. In addition, the ECJ ruled that interactions with websites or apps (e.g., by tapping on “share” or “like” buttons or by entering information into websites) may only be considered as “manifestly made public” by the user if there are “individual settings” available to the user to decide whether to make the information accessible to the public or not.
• Dominant market position does not exclude per se consent as a valid legal basis. Importantly, the ECJ held that a dominant market position by a company does not, as such, prevent users to freely give their consent. This is a noteworthy clarification and departure from the position expressed by the European Data Protection Board,³ according to which in situations of clear imbalance between companies and individuals, consent may not be considered as freely given. However, it is for the dominant company to prove that consent was freely given.
• Charging a fee to provide services is an equivalent alternative to obtain consent. The ECJ also held that companies may charge an appropriate fee for providing services as an equivalent alternative to obtaining users’ consent for personalized advertising. This is a helpful clarification as EU privacy regulators had issued conflicting guidance on “pay or okay” models in the past.

Wilson Sonsini Insights

The FCO’s 2019 decision is the first time an EU competition authority has considered data protection rules as a core part of an abuse of dominance assessment (or any competition case). This approach is now validated by the ECJ, opening the door for competition agencies to consider GDPR compliance in their assessment of competition cases. However, competition agencies will not have “carte blanche,” as they will have to justify why a GDPR breach (or any violation of another regulatory framework) is relevant to their competition law assessment.

Separately, the ECJ judgment stresses the need for coordination between competition and data protection agencies—and more generally other sectoral regulators. While the ECJ makes clear that competition agencies must not depart from data protection agencies’ decisional practice, there remains a potential for inconsistent and conflicting enforcement and interpretations of the rules absent more structural cooperation. In this context, companies subject to competition investigations involving assessments of their data collection/processing practices will need to be prepared to educate competition authorities on their GDPR compliance. In particular, companies with an alleged dominant position should be prepared to show that the data collection/processing consent they obtained from users was freely given.

^[1]FCO Press Release, Bundeskartellamt prohibits Facebook from combining user data from different sources, February 7, 2019, available here.

^[2]The FCO based its finding of infringement on a theory of “exploitative abuse,” according to which a dominant company’s practice negatively affects its commercial partners or (in this case) customers/users directly rather than indirectly through the exclusion of competitors and a consequent reduction in competitive offerings (a so-called “exclusionary abuse”). The theory of an “exploitative abuse” has generally not been used by EU enforcers in the past except for cases related to excessive pricing.

^[3]Guidelines 05/2020 on consent under Regulation 2016/679, paras. 16 et seq, available here.