On July 4, 2023, the highest EU court issued a landmark judgment in Case C-252/21, where the German court referred several questions for a preliminary ruling related to (i) the interplay between data protection concerns and competition law breaches; and (ii) interpretation of the EU General Data Protection Regulation (GDPR). This judgment has far-reaching implications for online operators whose business model is based on personalized content and advertisement.
- Relevance of data protection determinations in competition laws cases.
- Large interpretation of the notion of sensitive data and restrictive application of the “manifestly made public by the data subject” derogation within the meaning of Article 9 GDPR.
- High threshold regarding the legal basis available under Article 6 GDPR for personalized content and advertisement.
- Charging a fee for processing activities not necessary for the provision of the services may be an alternative to consent.
- Dominant market position does not affect per se the validity of consent.
The Court of Justice of European Union (CJEU) confirmed that national competition authorities (which usually do not have a monitoring or enforcement role under the GDPR) can review whether a data processing operation complies with the GDPR as part of the examination of an abuse of a dominant position by that undertaking. However, the national competition authorities should engage in sincere cooperation with the data protection authorities responsible for enforcing compliance with the GDPR.
Where there is a decision from a data protection authority or a court on the conduct or similar conduct under the GDPR, the national competition authority cannot depart from that decision. It can, however, reach its own conclusions from the point of view of the application of competition law. Where there is no decision or the scope of that decision is unclear, and the data protection authority refuses to cooperate (for example, it does not respond within a reasonable time to the request to cooperate) or does not object the investigation by the national competition authority, the national competition authority can conduct its own assessment.
The judgment of the CJEU highlights the possibility that companies could face enforcement actions for the same conduct under two regimes, both of which could result in substantial fines. Further, while the judgment focuses on the abuse of dominance, similar interplay could arise between the GDPR considerations and other aspects of EU competition rules. We have already seen this in merger cases.
The CJEU clarified that the processing by an operator consisting in the collection – by means of integrated interfaces, cookies or similar storage technologies – of data from visits of websites or apps relating to sensitive data and of the information entered by the users, the linking of all those data with the operator’s user accounts and the use of those data by the operator must be regarded as processing of sensitive data if sensitive data can be revealed. Further, where the processing entails the collection en bloc of both non-sensitive data and sensitive data without it being possible to separate the data items from each other at the time of collection, such processing activity must be regarded as processing of sensitive data if the data set contains only one sensitive data item. Such processing activities are in principle prohibited unless one of the derogations provided under Article 9(1) GDPR applies.
Regarding specifically the derogation of special categories of personal data manifestly made public by the data subject provided under Article 9 (1) (e) GDPR, the Court further ruled that this derogation may only apply to the processing above described if the user has explicitly made the choice – through individual settings – to make publicly accessible to an unlimited number of persons his interactions with these websites or apps.
- Performance of a Contract
The CJEU ruled that this legal basis can only be used where the processing is objectively indispensable for a purpose that is integral to the contractual obligations intended for the data subject. In practice, this means that the controller must be able to demonstrate that the processing is essential for the proper performance of the contract and that the contract cannot be achieved if the processing does not occur. The fact that the processing is referenced in the contract or merely useful for its performance is irrelevant. The Court considered that the personalization of content by social media platforms may be useful to users; however, such personalization is not necessary to offer the to users of social media platforms as such services can be provided without personalization.
- Legitimate Interest
The CJEU recalled that the controller must consider – when conducting its balancing test to assess whether its legitimate interest is not overridden by the data subject’s interests, rights and freedoms – the reasonable expectations of the data subject as well as the scale of the processing at issue and its impact on data subjects. The CJEU acknowledged that personalized advertising may be regarded as a legitimate interest of the controller; however, it concluded the users’ interests, rights and freedoms prevail in the context of the processing at issue. Indeed, the CJEU noted that the processing at issue is particularly extensive since it relates to potentially unlimited data, and users may feel that their private life is being continuously monitored. According to the CJEU, users can, therefore, not reasonably expect that such extensive processing activity for the purpose of personalized advertisement is being conducted without their consent. Consequently, legitimate interest cannot be used as a legal basis for personalised advertisement in the context of the processing at issue.
The CJEU recalled that under the GDPR, consent is not freely given where the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. In practice, this means that separate consent must be sought for each data processing operations. Users must, thus, be free to refuse to give their consent to particular data processing operations not necessary for the performance of the contract (such as personalized advertisement) without being obliged to refrain entirely from using the service offered by the online operator. According to the CJEU, users not wishing to provide consent to processing operations that are not necessary for the performance of the contract could be charged a fee.
The CJEU noted that the dominant market position of the online operator does not, per se, preclude users from being able to validly consent to the processing of their personal data by that operator. However, since that position is liable to affect the freedom of choice of those users and to create a clear imbalance between them and the online operator, it is an important factor in determining whether the consent was, in fact, validly and, in particular, freely given, which it is for that operator to prove.