Caveats to competition authorities’ powers on data protection matters, CJEU rules

The Court of Justice of the EU (CJEU) ruled, however, that competition authorities are obliged to liaise closely with data protection authorities in relation to such matters and are unable to reach different conclusions on issues that data protection authorities have already reached a decision on.

In its judgment, the court also provided guidance on where the boundaries lie between the respective competencies of competition authorities and data protection authorities in relation to cases where it is not clear whether the issues competition authorities are investigating have already been addressed by their data protection counterparts.

The CJEU said: “Where it has doubts as to the scope of such a decision [by the data protection authority], where those terms or similar terms are, simultaneously, under examination by those authorities, or where, in the absence of an investigation or decision by those authorities, the competition authority takes the view that the terms in question are not consistent with [the EU General Data Protection Regulation], it must consult and seek the cooperation of those supervisory authorities in order to dispel its doubts or to determine whether it must wait for them to take a decision before starting its own assessment. In the absence of any objection on their part or of any reply within a reasonable time, the national competition authority may continue its own investigation.”

The CJEU was considering the extent to which national competition authorities in EU member states have powers to make findings in relation to compliance with the GDPR in the context of a case referred to it from a court in Germany.

In 2019, the Federal Cartel Office in Germany determined that Facebook, now Meta, was dominant in the market for social networks and had abused its market power. It took issue with the way Facebook collected, used and merged data in user accounts and sought to require Facebook to obtain users' voluntary consent to merge their data from their Facebook accounts with that from third party websites or other Facebook-owned services, like WhatsApp and Instagram. However, Facebook appealed the decision to the Higher Regional Court in Düsseldorf, arguing among other things that the FCO had acted beyond the scope of its powers by interfering in data protection matters. The Düsseldorf court asked the CJEU to help it interpret EU legislation to enable it to rule on the appeal.

In its ruling, the CJEU also confirmed that it is possible for social networking providers to aggregate user data from across their own, and third party, services without the users’ consent – including on the basis of their own legitimate interests or where it is necessary for the performance of a contract – subject to certain conditions being met.

The data aggregation would be necessary for the purposes of the legitimate interests “only on condition that the operator has informed the users from whom the data have been collected of a legitimate interest that is pursued by the data processing, that such processing is carried out only in so far as is strictly necessary for the purposes of that legitimate interest and that it is apparent from a balancing of the opposing interests, having regard to all the relevant circumstances, that the interests or fundamental freedoms and rights of those users do not override that legitimate interest of the controller or of a third party”, the CJEU said.

The activity would be necessary for the performance of a contract only if “the processing is objectively indispensable for a purpose that is integral to the contractual obligation intended for those users, such that the main subject matter of the contract cannot be achieved if that processing does not occur”, it added.

Among the other issues it ruled on, the CJEU said that where online social network operators hold a dominant position in the market and rely on consent as a basis for processing user data, it is for those operators to prove that that the consent they have obtained is valid and, in particular, that it has been “freely given” by the user.

The EU Digital Markets Act, which took effect earlier this year, introduced restrictions beyond those that otherwise apply under the GDPR on the aggregation of user data by online ‘gatekeepers’.