The origin of the case is an order issued in February 2019 by the German Federal Cartel Office (Bundeskartellamt) against multiple members of what is now the Meta Group. Therein, the Federal Cartel Office prohibited these companies from automatically merging user data collected on Facebook itself with data collected from third party sources, unless users explicitly consent to such data merging. Third party sources that Facebook commonly relies on are services like Instagram and Whatsapp, which are also operated by Meta, and third party websites that have implemented Facebook tracking technology.
Data protection Law meets competition law
On first sight, the order of the Federal Cartel Office seems to be in line with other actions of authorities attacking the extensive data processing activities of the Meta Group. However, the unusual part of the order is that the Federal Cartel Office is by no means a data protection authority but an anti-trust agency. Nevertheless, the Federal Cartel Office firstly assessed Facebook's activities under EU data protection law, concluding that Facebook has no legal basis under Art. 6 GDPR to conduct the data merging. Only in a second step, the Federal Cartel Office considered the violation of data protection requirements to be a "manifestation of Facebook's market power" and to thus a violation of section 19(1) of the German Law Against Restrictions on Competition (Gesetz gegen Wettbewerbsbeschränkungen).
Unsurprisingly, Facebook moved to the Higher Regional Court of Düsseldorf (Oberlandesgericht Düsseldorf) to challenge the order of the Federal Cartel Office. The court then decided to stay the proceedings and referred several questions to CJEU concerning the Federal Cartel Office's jurisdiction to assess data protection law and the lawfulness of data merging by Facebook. In particular, the court asked whether tracking users visiting websites that relate to the criteria of Art. 9 (1) GDPR, such as flirting apps, gay dating sites, political party websites, and merging the tracking data with Facebook data falls under the strict requirements of Art. 9 (1) GDPR.
Competition agencies can consider the GDPR
Advocate General Rantos generally supports the approach of the Federal Cartel Office that a data protection violation can lead to a violation of competition law. He argues that competition authorities may consider GDPR compliance as an "incidental question". However, such compliance shall not be "taken in isolation but considering all the circumstances of the case". In addition, a competition agency is bound to any decisions of the competent data protection authority.
Art. 9 (1) GDPR may always apply, but no one knows when exactly
With regard to the stated Art. 9 (1) GDPR question, the Advocate General remained rather vague. He states that "it might be worth distinguishing, where appropriate, between the processing of data which prima facie may be categorized as sensitive personal data, which alone allow profiling of the data subject, and the processing of data that are not inherently sensitive but require subsequent aggregation in order to draw plausible conclusions for profiling purposes." This is no answer to the very relevant question, under which circumstances the process of distinguishing leads to the conclusion that Art. 9 (1) GDPR is applicable and under which circumstances it does not. The Advocate General seems to imply that Art. 9 (1) GDPR applies if the combined data available to the controller allows the conclusion that a data subject has a property protected by Art. 9 (1) GDPR. But nobody knows when the required threshold of certainty is met.
Unfortunately, the Advocate General did not follow the very reasonable solution offered by Facebook that Art. 9 (1) GDPR only applies if the controller intends to derive information relating to Art. 9 (1) GDPR criteria from the available data. This means that the Advocate considers online advertising companies to potentially violate Art. 9 (1) GDPR even if they do not offer targeting criteria that fall under Art. 9 (1) GDPR such as sexual orientation or political views. It remains unclear, how such companies can implement a compliance mechanism to avoid violating Art. 9 (1) GDPR. It would be absurd to obligate companies to data mine for any potential Art. 9 (1) GDPR categories only to require them to delete data sets that allow any conclusions concerning sensitive data categories.
Controllers need to explicitly specify why processing is necessary
The Advocate General does not directly assess whether or not the data merging activities of Facebook fall under Art. 6(1)(b), (c), (d), (e) and (f) GDPR, but offers lengthy guidance for the Higher Regional Court of Düsseldorf to apply – if followed by the CJEU. The Advocate General emphasizes the responsibility of the controller under Art. 5(2) GDPR to demonstrate that the processing of data complies with the GDPR. As a result, Facebook needs to "specifically put forward" that
- "the processing is objectively necessary for the provision of the services relating to the Facebook account;
- the processing is necessary for the purposes of the legitimate interests (…)"
- the processing is necessary to respond to a legitimate request for certain data, to combat harmful behaviour and promote security, to conduct research in the public interest and to promote safety, integrity and security."
It is doubtful, whether the lengthy but again rather vague positioning of the Advocate General is worth the wait for the Higher Regional Court Düsseldorf as the court itself is also able to conduct research on CJEU case law. It seems that the broadly drafted questions of the German court have led to equally broadly drafted answers of the Advocate General that are comprehensive but not very concise.
In spite of being in a dominant market position, Facebook can still collect consent for data processing
Finally, the Advocate General had to position himself on the question of whether or not being in a dominant position in the national market for online social networks prevents Facebook from obtaining GDPR consent. In rather clear words, the Advocate states that market dominance is a factor that needs to be considered when assessing if consent is freely given, but does on its own not render consent invalid.
Hope for clarifications by the CJEU
In the end, the most interesting, yet frightening part of the Opinion is the Advocate General's take on Art. 9 (1) GDPR. We have to hope for the CJEU to consider that companies also need to have a way to comply with Art. 9 (1) GDPR. If the CJEU follows the approach of the Advocate General without modification, every company collecting personal data for online advertising will at least to some extent unknowingly violate Art. 9 (1) GDPR.
Sign up to our email digest