Meta platforms: How the CJEU leaves competition and data protection authorities with an assignment

Competition authorities can identify a violation of the data protection rules when such a finding is necessary to establish an abuse of dominance under the competition rules. This is the main outcome of the judgment that the Court of Justice of the European Union (CJEU) delivered in Meta Platforms on 4 July 2023. The judgment is the next step in the saga that started with the 2019 competition decision of the Bundeskartellamt (the German Federal Cartel Office) requiring Facebook (now Meta) to refrain from combining user data from different sources beyond its social network. The judgment provides a welcome confirmation that data protection standards can also matter for the interpretation of the competition rules. However, what is more remarkable and less expected is the general framework the CJEU sets out for coordination between competition and data protection authorities building on the duty of sincere cooperation and the clarity with which it evaluates the different legal bases Meta invoked for processing user data. The judgment can become a reference point for assessing the legality of personal data processing by powerful firms, but also leaves competition and data protection authorities with an assignment to explore how to coordinate their work in the future.


Introduction
In a strongly worded judgment, 2 the Court of Justice of the European Union (CJEU) on 4 July 2023 answered the preliminary questions posed to it by the Higher Regional Court in Düsseldorf about whether the approach of the Bundeskartellamt (the German Federal Cartel Office) in its 2019 competition decision against Facebook (now Meta) was in line with EU law.In that decision, 3 the Bundeskartellamt had held Meta liable under German competition law for imposing unfair terms and conditions as assessed by reference to the standards laid down in the General Data Protection Regulation (GDPR). 4In its preliminary ruling, the CJEU followed the Opinion of Advocate General Rantos 5 and endorsed the Bundeskartellamt's approach to rely on the data protection rules in the GDPR for establishing an abuse of dominance under competition law.The CJEU also clarified how to interpret the legal bases available under the GDPR for personal data processing activities conducted by a powerful player like Meta and provided a framework to guide competition and data protection authorities in coordinating cases where data protection rules are of relevance for assessing compliance with competition law as well.
While the strong statements of the CJEU about Meta's personal data processing leave little room for the Higher Regional Court in Düsseldorf to form its own opinion, the CJEU's guidance about how competition authorities should coordinate their investigations with data protection authorities is more open-ended.Even though the CJEU indicates that the Bundeskartellamt in its view met the 'duty of sincere cooperation' in the case at hand, future instances may not be as straightforward and require competition and data protection authorities to establish more detailed modes of collaboration based on the pointers provided by the CJEU.This is especially relevant with the entry into force of the Digital Markets Act, 6 which regulates data-related practices that are also covered by the GDPR.
After giving an overview of the facts and background of the case in Section 2, this case comment summarizes the reasoning of the CJEU in Section 3 and then analyses several aspects of the judgment in Section 4. Section 5 concludes by giving an outlook to the future.

Facts and background of the case
The Bundeskartellamt adopted its competition decision against Meta in February 2019.According to the Bundeskartellamt, Meta held a dominant position in the market for social networks and had abused that dominance.The abuse was alleged to consist of forcing users to agree to the combination of data collected through Meta's different services and from third-party sources as a condition for being able to use the Facebook social network.The Bundeskartellamt found that Meta lacked a valid legal basis under the GDPR for this form of combining personal data and thereby engaged in an exploitative abuse under Section 19(1) of the German Competition Actthe Gesetz gegen Wettbewerbsbeschränkungen (GWB). 7ecause of the controversy about integrating data protection rules into competition analysis at the time of the decision, 8 the Bundeskartellamt was careful to frame its concerns in the context of German and not EU competition law.The German Federal Court of Justice held in cases like VBL-Gegenwert 9 and Pechstein 10 that the German prohibition of abuse of dominance in Section 19(1) GWB can also be invoked in cases where one party dictates contractual terms that breach civil law principles or constitutionally protected rights.Following this approach, for which no precedent exists at EU level, 11 the Bundeskartellamt relied on the GDPR to hold Meta liable under German competition law for exploiting its dominance by imposing unfair terms and conditions on users.
Meta appealed the Bundeskartellamt's decision before the German courts.The Higher Regional Court in Düsseldorf ruled in favour of Meta in interim proceedingsarguing in its August 2019 judgment that the Bundeskartellamt was exclusively discussing a data protection and not a competition problem. 12However, the German Federal Court of Justice on appeal in interim proceedings sided with the Bundeskartellamt in qualifying Meta's conduct as abusive in its June 2020 judgment. 13he case came to the EU level via a preliminary reference to the CJEU from the Higher Regional Court in Düsseldorf in the proceedings on the merits.The Düsseldorf Court asked the CJEU, among others, whether a national competition authority can make findings about the consistency of personal data processing with the GDPR in the course of an abuse of dominance investigation under competition law. 14While the Düsseldorf Court did not refer to any provisions of EU competition law, the CJEU answered this question in the context of the abuse of dominance prohibition of Article 102 of the Treaty on the Functioning of the European Union (TFEU), thereby bringing the case within the remit of the EU competition rules.

Judgment of the CJEU
The CJEU's reasoning can be divided into three main parts that each make their own contribution to our understanding of the interaction between competition and data protection law, namely: (1) how data protection concepts impact competition law and vice versa; (2) how to assess the GDPR's legal bases for personal data processing by a powerful player; and (3) how to coordinate the work of data protection and competition authorities.This section discusses the CJEU's reasoning on each of these three issues in turn.
A. Data protection concepts impact competition law, but less so the other way around?
The CJEU clearly confirms the ability of national competition authorities to check the consistency of personal data processing with the GDPR where relevant to assess the existence of an abuse of dominance.While acknowledging that data protection and competition authorities have different functions and tasks, the CJEU notes that there is no provision in the GDPR preventing national competition authorities from finding a violation of the GDPR in the performance of their duties. 15In the view of the CJEU, the compliance of conduct with the GDPR may be 'a vital clue among the relevant circumstances of the case' in order to establish whether that conduct meets the competition rules. 16According to the CJEU, access to personal data has become a significant parameter of competition in the digital economy.Therefore, excluding the GDPR rules from the legal framework to be considered by competition authorities in abuse of dominance cases 'would disregard the reality of this economic development and would be liable to undermine the effectiveness of competition law within the European Union'. 17he CJEU is less unequivocal about whether competition concepts matter for interpreting the scope of data protection law.As Advocate General Rantos also pointed out in his Opinion, 18 the CJEU argues that the dominance of a social network provider must be taken into account in determining whether a user has validly and freely given consent but does not, as such, render consent invalid. 19ollowing this nuanced position, the CJEU does express serious doubts about whether the consent of Facebook users can be considered freely given.The CJEU notes that Article 7(4) GDPR requires users to be free to refuse consent for data processing activities that are not necessary for the performance of a contract and that the processing at stake does not appear to meet this threshold. 20Given the scale of the data processing and its significant impact on Facebook users, the CJEU also submits that it is appropriate to give users the possibility of giving separate consent for the processing of data within the Facebook social network and for the off-Facebook data.In the absence of such a possibility, the consent of users to the processing of off-Facebook data must be presumed not to be freely given in the view of the CJEU. 21Finally, the CJEU stipulates that users must still be able to use the social network if they refuse consent for data processing activities that are not necessary for the performance of the contract.According to the CJEU, this means that users have to be offered an equivalent alternative not accompanied by such data processing operationsif necessary, for an appropriate fee. 22

B. Assessing personal data processing by a powerful player
Beyond its strict interpretation of consent, the CJEU also approaches the other legal bases for personal data processing under the GDPR restrictively, namely performance of a contract, legitimate interests of the data controller, compliance with a legal obligation, performance of a task in the public interest and protection of the vital interests of data subjects.
For determining the necessity of data processing for the performance of a contract, the CJEU lays down a standard of data processing being 'objectively indispensable for a purpose that is integral to the contractual obligation intended for the data subject' and requires 'no workable, less intrusive alternatives' to be present. 23In the case at hand, the CJEU argues that the provision of personalized content and the consistent and seamless use of Meta's own services do not appear to be necessary for offering a social network service. 24ith regard to the legitimate interests of the data controller as a legal basis for data processing, the CJEU finds that the interests and fundamental rights of users override the interests of a social network provider in offering personalized advertising because users cannot reasonably expect such use of their personal dataeven though social network services are offered free of charge. 25Similarly, the CJEU notes that it is doubtful that the controller's interest in improving a product or service to make it more efficient or attractive outweigh the interests and fundamental rights of users. 26The CJEU continues by stating that the sharing of information with law enforcement agencies cannot constitute a legitimate interest because it is unrelated to the economic and commercial activity of Meta.At most, such data processing may be justified when objectively necessary for compliance with a legal obligation. 27n the context of the legal basis involving compliance with a legal obligation under Article 6(1)(c) GDPR, Meta referred to the need to 'respond to a legitimate request for certain data'.And in order to claim that the data processing is necessary for the performance of a task carried out in the public interest under Article 6(1)(e) GDPR, Meta relied on its purpose to 'research for social good' and to 'promote safety, integrity and security'. 28While the CJEU left it to the Düsseldorf Court to assess whether Meta is indeed under a legal obligation to collect personal data in a preventive manner in order to be able to respond to requests from national authorities to provide user data, 29 it is in its view unlikely that Meta was entrusted with a task carried out in the public interest to conduct research for the social good and promote safety, integrity and security, given the economic and commercial nature of the data processing. 30inally, Meta tried to justify its data processing on the ground that it is necessary to protect the vital interests of data subjects.In response to this claim, the CJEU stated that Meta, who is pursuing activities of an economic and commercial nature, 'cannot rely on the protection of an interest which is essential for the life of its users in order to justify, absolutely and in a purely abstract and preventive manner, the lawfulness of data processing'. 31

C. Coordination framework set up by the CJEU
Another insightful part of the judgment is where the CJEU sets out a general framework for cooperation between data protection and competition authorities in absence of any specific rules in EU law.Building upon the duty of sincere cooperation of Article 4(3) of the Treaty on the European Union, the CJEU explains that competition authorities are required 'to consult and cooperate sincerely' with data protection authorities to ensure that the rules and objectives of the GDPR 'are complied with while their effectiveness is safeguarded'. 32The CJEU then lays down a number of steps to be followed.
If the conduct at stake or similar conduct has already been the subject of a decision by a data protection authority or the CJEU, the competition authority cannot depart from the decision. 33Where a competition authority has doubts about how its investigation relates to earlier or ongoing work in the area of data protection, it has to consult and seek the cooperation of the competent or lead data protection authority. 34In turn, the data protection authority must respond to such a request for information or cooperation within a reasonable period of time. 35If the data protection authority does not reply within a reasonable time, the competition authority may continue its investigation.The same applies if the data protection authority has no objection to a competition investigation being continued. 36In the case at hand, the CJEU concludes that the Bundeskartellamt appears to have fulfilled its obligations of sincere cooperation because it notified the relevant German data protection authorities and the Irish Data Protection Commission, as the lead data protection authority, who all raised no objections to its actions. 37

Analysis
The CJEU's judgment provides welcome clarifications about the possibilities and limits that EU law sets for data protection and competition law to interact with each other to assess the legality of personal data processing by a dominant firm.Following the three-fold division of issues in the previous section, the three aspects discussed by the CJEU are now put into context with specific attention for the question of how the judgment will affect personal data processing in the future beyond the Meta Platforms casealso considering the entry into force of the Digital Markets Act.

A. How data protection and competition law interact with each other
Considering the earlier controversy about the relevance of data protection rules for competition law, 38 the CJEU's unambiguous confirmation that competition authorities can rely on data protection law in their assessment may seem striking.However, judgments like AstraZeneca 39 and Allianz Hungaria 40 already recognized that the breach of another area of EU or national law beyond competition law can be a factor in determining a violation of the competition rules as well.AstraZeneca dealt with misuse of regulatory procedures to obtain a patent and Allianz Hungaria concerned a breach of domestic insurance law.It is therefore no real surprise that the CJEU confirms that competition authorities can also look at data protection law when conducting competition investigations.While the reference to the need to prevent competition law's effectiveness being undermined 41 is not unprecedented but a phrase that the CJEU uses more often to support an expansive interpretation of the competition rules, the strong language is nevertheless noteworthy.The CJEU almost presents it as a stated fact that data protection concepts influence competition law.
The CJEU uses less strong language when determining the relevance of the dominance of a data controller under competition law for determining whether consent is valid under the GDPR.While stating that the dominance of a data controller does not by itself prevent users from giving valid consent, the CJEU's detailed stipulations do substantially limit the circumstances in which a powerful player can demonstrate that it has obtained valid consent.Where personal data is combined across services, it seems that consent can only still be regarded as valid when users can separately provide or refuse consent for any processing that is not strictly necessary for the performance of a contract.This clarification by the CJEU considerably restricts Meta's ability to combine personal data from different sources and between different services under the GDPR.
Considering the strong language used by the CJEU to reject the other legal bases Meta invoked as well, the Düsseldorf Court has little room to still find that Meta's data processing is consistent with the GDPR.This part of the judgment, in which the CJEU comments on all legal bases for data processing under the GDPR, will probably be referenced the most in the future because of the clear and outspoken explanations.The Norwegian Data Protection Authority already relied on this part of the CJEU's reasoning to impose a temporary ban on Meta on 14 July 2023 to carry out behavioural advertising based on the surveillance and profiling of users in Norway. 42It therefore seems that the CJEU's judgment could be a turning point in how Meta processes personal data.Another relevant issue is how the judgment in Meta Platforms will affect future personal data processing by others.

B. The future of personal data processing after Meta Platforms
In this regard, it is worth noting that the powerful position of Meta seems to have influenced the CJEU's assessment of the different legal bases under the GDPR.In several instances, the CJEU refers to the scale of the data processing and its significant impact on users. 43It therefore seems that the judgment supports a more asymmetric interpretation of the duties of data controllers under the GDPR, where a larger scale and impact implies that data controllers are more restricted in their data processing activities. 44This is also in line with the so-called risk-based approach to the GDPR, according to which stricter conditions are attached to issues like data protection by design, the security of processing and the implementation of data protection impact assessments depending on the risk involved. 45Following this reasoning, the judgment will thus likely also limit the extent to which other large providers of advertising-based platforms beyond Meta can still process and combine personal data across their portfolio of own and affiliated services without violating the GDPR.
Next to the GDPR, the Digital Markets Act (DMA) requires gatekeepers who provide core platform services 46 to refrain from combining personal data across services unless the end user has given consent within the meaning of the GDPR. 47This provision is based on the Bundeskartellamt's case against Meta, so that the DMA thus now imposes the same requirement on other gatekeeping platforms.According to recital 36 to the DMA, to prevent gatekeepers from unfairly undermining the contestability of core platform services, end users need to be offered a less personalized but equivalent alternative, without making the use of a core platform service or certain of its functionalities conditional upon consent.The CJEU seems to have been inspired by the recital, as it interpreted the concept of GDPR consent in the same way by stating that users must be offered an equivalent alternative when they refuse consent for data processing activities that are not necessary for the performance of the contract. 48 question that the judgment leaves open is whether the GDPR can be interpreted in the same way for small-scale personal data processing activities of data controllers that do not qualify as dominant firms or gatekeepers under, respectively, competition law and the DMA.While the GDPR lays down a minimum level of data protection to which all data controllers are bound, the DMA targets a subset of the most powerful digital platforms.Because of this nature of the DMA, it may thus be that its data protection-relevant provisions, including regarding personal data combination, can be seen as a 'GDPR plus' regime by requiring more from gatekeepers than what stems from the regular interpretation of the relevant GDPR rules.Such an approach would ensure that gatekeepers are indeed bound by stronger obligations than the ones already laid down in other legal regimes beyond the DMA.This would also imply that the GDPR, as suggested above, tailors its standards of interpretation to the scale and scope of the personal data processing by the respective data controller, where less strict requirements apply to players engaged in smaller or less risky processing activities.Whether such an approach will indeed be applied following the CJEU's references to the scale and impact of Meta's personal data processing, however, remains to be seen in future cases.Such an asymmetric interpretation of the GDPR rules is arguably welcome to make compliance with data protection law more effective by expecting more from those data controllers who are able to implement stricter duties and whose activities have a larger impact.

C. The assignment for competition and data protection authorities
The entry into force of the DMA will also impact the dynamics in the coordination between competition and data protection authorities.By requiring competition authorities to consult the relevant data protection authorities, the CJEU in Meta Platforms leaves it to data protection authorities to control whether a competition authority can check compliance with data protection rules for the purposes of establishing a competition violation.However, the enforcement of the DMA is in the hands of the European Commission with only an advisory role foreseen for the European Data Protection Supervisor and the European Data Protection Board in the high-level group for the Digital Markets Act. 49Because the DMA regulates practices of gatekeepers to which the GDPR also applies, including personal data combination and data portability, the European Commission will not need the approval of the data protection authorities to monitor these practices.This means that the roles are reversed in the DMA, as compared to the approach laid down by the CJEU in Meta Platforms, with the European Commission controlling enforcement, including the application of any relevant data protection concepts.It is therefore unlikely that competition authorities, and especially the European Commission, will still take up any of the data-related practices now covered by the DMA through using the GDPR as a benchmark for establishing an abuse of dominance, as the Bundeskartellamt has done.For such data-related practices of gatekeepers, the entry into force of the DMA has thus already bypassed the outcome of the Meta Platforms judgment.
However, the coordination framework set up by the CJEU remains all the more relevant for nongatekeepers and for data-related practices that are not regulated by the DMA.For these cases where competition authorities may wish to rely on the GDPR in the future, the CJEU does not prescribe the exact contours of cooperation and thereby invites competition and data protection authorities to come up with more detailed frameworks or protocols to ensure consistency in the application and interpretation of the GDPR.From the perspective of interpreting data protection concepts for the purpose of establishing a competition violation, the CJEU also states that a competition authority 'remains free to draw its own conclusions from the point of view of the application of competition law' even when a relevant decision on the conduct has already been taken by a data protection authority or the CJEU. 50This raises the question what room for deviation there is, considering that competition law has its own, autonomous interpretations of various concepts (think of 'undertaking' or 'agreement' for instance).The judgment seems to leave leeway for competition authorities to set different thresholds for intervention than the GDPR when interpreting data protection rules for the purpose of establishing a competition violation.An example could be a competition authority finding an abuse of dominance consisting of unfair processing of personal data, even though the data protection authority would not have been able to establish a violation for the same behaviour under the GDPR.

Outlook
Based on the CJEU's judgment, it is now up to the Düsseldorf Court to decide on the fate of Meta's personal data processing in the proceedings on the merits at national level.Considering the strong statements of the CJEU, it seems that the Düsseldorf Court has little room to still conclude that the Bundeskartellamt's decision should be quashed.The strong language used by the CJEU indicates that it regards the Meta Platforms case as a clear example of a competition authority legitimately intervening after coordinating with the relevant data protection authorities against behaviour that almost without a doubt violates the GDPR.Of more general relevance beyond the circumstances of the case, the CJEU clarified that the data protection rules can be a factor for competition authorities to decide whether there is an abuse of dominance and that dominance can, in turn, be factor in assessing the validity of consent under the GDPR.Because the CJEU interpreted all legal bases for personal data processing, it has given welcome clarifications about the scope of the GDPR that may also help data protection authorities to more effectively enforce compliance with data protection rules in the future.
While the CJEU provided clarity about the legality of Meta's personal data processing under the GDPR and the DMA now includes the same requirement for other gatekeepers beyond Meta, there will likely be next cases at the intersection of data protection and competition law that are less straightforward.These could be cases where the dominance of the data controller or the problematic nature of its data processing activities are less pronounced.So while the CJEU opens the door for establishing further synergies between the two legal domains, it also leaves competition and data protection authorities with an assignment to coordinate their respective competences and interpretations of the law in the future.

Declaration of conflicting interests
The author declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1. 5. Opinion of Advocate General Rantos in Case C-252/21 Meta Platforms v. Bundeskartellamt, EU:C:2022:704.6. Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector (Digital Markets Act) [2022] OJ L 265/1.