In a move thought likely to widen scrutiny of big tech companies and online platforms, the Court of Justice of the European Union (CJEU) has ruled that national anti-trust authorities can examine whether such organisations are operating in accordance with the EU General Data Protection Regulation (GDPR), and dealt a potentially fatal blow to Meta’s entire legal basis for targeted advertising.
The judgment vindicates Germany’s anti-trust body, the Bundeskartellamt, which had used its powers to address concerns over how Meta, the operator of Facebook, Instagram and WhatsApp, had handled the data of German users in the past. This previously resulted in an order that Meta must stop harvesting this data without user consent on the basis that to do so abused its dominant market position.
Meta, which is set to launch a Twitter competitor called Threads imminently, challenged this action, leading to the court case.
In the judgment, the CJEU stated: “In the context of the examination of an abuse of a dominant position by an undertaking, it may be necessary for the competition authority of the member state concerned also to examine whether that undertaking’s conduct complies with rules other than those relating to competition law, such as the rules laid down by the GDPR.”
It noted that if said authority identifies that the GDPR has been violated it does not, however, override the authority of the member state’s national data protection authority (DPA).
The CJEU additionally stated that with Meta’s data processing of special category data – that pertaining to characteristics such as racial or ethnic origin, political opinions, religious beliefs, gender identity and sexual orientation (the processing of which is in principle banned by the GDPR) – national courts can determine whether data collected may allow that information to be revealed whether or not it concerns a user of a Meta product.
In the matter of whether or not processing of such data is exceptionally allowed because the data subject had “manifestly” made that information public, the CJEU further clarified that the fact somebody uses websites or apps that reveal such information does not mean they are making it public under the GDPR. The same applies where they enter information into a website unless they have explicitly agreed to make their data publicly accessible beforehand, said the court.
Targeted ads not justifiable
Regarding the processing of non-sensitive data used by Meta for targeted advertising, the CJEU considered whether or not this is covered by justifications in the GDPR that allow the processing of data in the absence of consent.
Article 6(1)(b) of the GDPR establishes that practice could only be justified on condition that if the data is not processed, the contract between the user and the service operator can’t be fulfilled.
This contractual necessity for data processing is usually understood rather more narrowly. For example, it enables an online retailer to provide a customer’s address to a courier, which is clearly necessary data processing under the terms of the contract between the store and the customer.
Meta had relied on Article 6(1)(b) as its main justification for data processing for targeted advertising by claiming that targeted advertising was part of the service it contractually owes its users – a clause it introduced as part of a change to its terms of service (ToS) made at the stroke of midnight on 25 May 2018, which is the precise second the GDPR first came into force.
Max Schrems, founder of Austria-based data protection campaign group NOYB, argued that Meta seemed to have taken the view that it could just “add random elements” to the contract, i.e. its ToS, covering personalised advertising, to avoid offering users a yes or no consent option.
“Instead of having a ‘yes/no’ option for personalised ads, they just moved the consent clause in the terms and conditions. This is not just unfair but clearly illegal. We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way,” said Schrems.
In practice, said the CJEU, there are serious doubts as to whether or not offering personalised content, or the consistent and seamless use of Meta’s services are capable of compliance with Article6(1)(b)
Meta’s reliance on Article 6(1)(b) had previously been ruled against by the European Data Protection Board (EDPB) in January 2023. Following this, it changed its argument to centre Article 6(1)(f), which concerns legitimate interests for data processing.
But the CJEU has also shut this down, additionally stating that personalised, targeted advertising cannot justify the processing of user data without the user’s consent as a legitimate interest either.
Schrems explained that while the CJEU has not ruled that legitimate interests can exist in certain circumstances, the judgment has clarified that no such interest can override a user’s rights when controllers are providing advertisements. This, he said, appears to mean that no data controller operating in the EU can now run targeted advertising based on anything other than freely given consent.
Schrems explained that ultimately, Meta had essentially tried to bypass GDPR using five of the six legal bases for data processing covered under Article 6(1) of the GDPR, all of which have been covered in the CJEU’s judgment.
“This is a huge blow for Meta, but also for other online advertisement companies. It clarifies that various legal theories by the industry to bypass the GDPR are null and void,” he said.
He welcomed the CJEU’s overall decision, which he said clarified that Meta cannot bypass the GDPR by changing paragraphs in its legal documents as it wishes.
“This will mean that Meta has to seek proper consent and cannot use its dominant position to force people to agree to things they don’t want. This will also have a positive impact on pending litigation between NOYB and Meta in Ireland,” said Schrems.
Computer Weekly understands Meta is evaluating the ruling and will have more to say in due course. It had not responded to a request for comment at the time of writing.
EC to adopt new rules to strengthen cross-border GDPR cases
At the same time, the European Commission (EC) has today proposed a new law that it said will streamline cooperation between member state data protection authorities (DPAs) when dealing with cross-border GDPR cases.
Among the proposals are an obligation for the lead DPA on an investigation to summarise key issues for its counterparts across the EU to reduce the scope for disagreements and enable consensus-building.
For individual EU citizens, the proposals will clarify what they need to do when complaining to their national DPA under the GDPR, and their process rights during an investigation, hopefully bringing swifter resolution to cases and more legal certainty for all.
“Five years ago, the world’s most ambitious and innovative data protection law entered into force. Five years on, GDPR has become a landmark legislation in the EU, inspiring global standards. It is clear that enforcement of GDPR works, but the procedures in cross-border cases can be still improved,” said EC commissioner for justice, Didier Reynders.
“Today, we have come forward with this proposal to show that we can do better to have quicker and more efficient handling of cases. We have listened to the voices of the European Data Protection Board, data protection authorities, civil society, and the industry. Our proposal addresses their calls and builds on our own findings to better protect Europeans’ right to privacy, provide legal certainty to businesses, and streamline cooperation between data protection authorities on the ground.”