The CJEU's judgement in Meta Platforms Inc. v Bundeskartellamt: the spotlight on lawful bases for processing data
Locations
Why is this judgement significant?
This CJEU judgement clarifies several important issues relevant not only to social media companies but to all controllers determining legal bases for processing personal data. It highlights a strict approach to legal bases for personalised advertising and the fact that for the largest companies, unlawful data processing can constitute abuse of a dominant market position.
The CJEU's findings have set the scene for regulatory enforcement as illustrated by the Norwegian DPA's temporary emergency ban on Meta's behavioral advertising in Norway and the EDPB's recent urgent binding decision instructing the DPC to impose a ban on Meta's processing of personal data for behavioural advertising without consent across the EEA. The impact of the CJEU's decision on social media business models is becoming clear as Meta has recently changed the legal basis for behavioral advertising in the EEA and Switzerland and introduced a subscription model giving users in those countries an option to pay to avoid targeted ads.
All controllers should note the CJEU's findings regarding processing for network security, product/service improvement or compliance with law enforcement requests, as well as the application of Article 9 GDPR in a social media context.
Background
This CJEU's judgement concerns an appeal from a 2019 order by the German Federal Cartel Office (Bundeskartellamt) ("FCO") against Meta Platforms, Meta Platforms Ireland and Facebook Deutschland ("Meta").
The FCO found that Meta's collection of data off Facebook and the subsequent merging of data for personalised advertising purposes without users' consent, infringed data protection law and constituted an abuse of Meta's dominant market position. The German court hearing Meta's appeal requested a preliminary ruling from the CJEU. See more in Fieldfisher's earlier blog.
Key findings on legal bases for personalised advertising
Contractual necessity
Processing “necessary” for the performance of a contract must be "objectively indispensable", meaning that the contract cannot be performed using less privacy intrusive alternatives. The fact that processing is merely useful or referenced in the contract, is not sufficient. Where a contract covers multiple services, contractual necessity must be assessed for each of them.
Whilst the CJEU recognises that personalised content may be useful for the user, it concludes that such processing "does not appear" necessary to offer the services of the online social network or use of Meta’s other services. As the CJEU left the factual determination to the referring court, Meta will have the opportunity to argue this point before the German court.
Legitimate interests
The CJEU rejected Meta's reliance on the legitimate interests basis for personalised advertising. It acknowledged Facebook's legitimate financial interests but found that due to the scale and impact of the relevant processing, and the fact that the user would not reasonably expect their personal data collected on and off the platform to be processed for personalised advertising, the user's fundamental rights and freedoms override Facebook's legitimate interests.
Interestingly, the CJEU's rejection of Meta's reliance on legitimate interests was specific to the facts of this case and it remains possible that the legitimate interests basis may be appropriate for personalised advertising that is less extensive.
Consent where controller holds a dominant market position
A controller's dominant market position does not exclude their reliance on consent. It might however affect the validity of consent. Users must be free to decline any processing not necessary for the performance of the contract, without being blocked from using the service. This means that consent must be granular (e.g. separate consents for the processing of the off-Facebook data) and the controller should offer access to the service based on "an equivalent alternative" to personalised advertising "if necessary, for an appropriate fee".
Legal bases for network security, product improvement and compliance with law enforcement requests
The legitimate interests basis may justify the processing of data for network security and for product improvement, if such processing is necessary for these purposes and complies with data minimisation principle. Whilst the CJEU left it for the German court to make a finding of fact on these points, it questioned whether the processing of the off-Facebook data is necessary to ensure network security. Similarly, it doubted whether Meta's interests related to product improvement could override users' rights, given the scale and impact of the processing, and the fact that the users would not reasonably expect their data to be processed for this purpose.
The CJEU clarified that the legitimate interests basis cannot be relied on for disclosures to law enforcement agencies which would only be lawful if based on a legal obligation.
Special category data
Visits to websites, to which the criteria in Article 9(1) GDPR relate, may result in collection of special category data regardless of the purpose of processing or accuracy of such data, and even without the user entering any information (i.e. collection via cookies or similar tracking technology).
A mere visit to a website does not make the data collected in the process public. Personal data (including that collected via ‘Like’ or ‘Share’ buttons) can be considered "manifestly made public" only if the user choses such option via settings. Where there are no settings, controllers must collect explicit consents. The CJEU did not determine if the data processed by Meta revealed information related to the criteria in Article 9(1) GDPR and if Facebook's settings allowed users to make an informed decision to make such information publicly accessible – this will be determined by the referring court.