The complex interplay between EU competition law and data protection regulations has gained prominence alongside the rise of tech giants. Central to this relationship is the 2019 Meta decision by the German Federal Cartel Office (Bundeskartellamt), which accused Meta (formerly Facebook) of exploiting its dominant position in the German social network market. This exploitation involved collecting, combining, and analyzing “off-Facebook” user data for personalized advertising. The subsequent European Court of Justice (ECJ) ruling on July 4, 2023, provided crucial insights into the alignment of data protection and competition law.
I. Background
The Bundeskartellamt, in a groundbreaking move on February 6, 2019, asserted that GDPR infringements could indicate abuse of dominant position under competition law. The authority found Meta guilty of processing user data from outside Facebook without valid consent, contributing to targeted advertising. Legal battles ensued, culminating in the ECJ’s landmark decision on July 4, 2023.
II. Core Findings of the ECJ
- Relationship between GDPR and Competition Law
The ECJ affirmed that GDPR violations may overlap with competition law violations, especially in data-centric markets. Personal data, it stated, has become a significant parameter of competition in the digital economy. The ECJ outlined a framework for cooperation between competition authorities and data protection authorities (DPA), allowing competition authorities to draw independent conclusions under competition law.
- Meta’s GDPR Infringements
The ECJ deemed Meta’s practice of processing “off-Facebook” user data without explicit consent incompatible with the GDPR. It rejected Meta’s justifications under GDPR articles, emphasizing that user consent was the only valid justification. The ECJ asserted that consent must be freely given and refuted Meta’s claim of obtaining valid consent, citing the coercive environment created by market dominance.
III. Enforcement & Reactions
- BKartA’s Decision
Even before the ECJ ruling, the Bundeskartellamt reached a partial agreement with Meta regarding the implementation of its decision. Meta agreed to allow users to choose between separate or combined services, impacting data processing for personalized advertising. Negotiations on off-Facebook data continue, setting a precedent for digital players.
- Norwegian DPA’s Temporary Ban
The Norwegian Data Protection Authority issued a preliminary order against Meta, temporarily banning the processing of personal data for behavioral advertising. This move underscores the ongoing challenges in addressing GDPR infringements.
- Meta’s Shift to User Consent
In response to enforcement actions and the ECJ ruling, Meta announced a potential shift to a user consent-based data processing model. However, ambiguities in the announcement leave the actual extent of this shift uncertain.
IV. Conclusion & Outlook
The ECJ’s Meta decision not only shapes Meta’s business model but also sets a precedent for global digital economies. The ruling provides a blueprint for future interactions between competition and data protection authorities. The question arises whether similar reasoning can be extended to other regulatory areas, such as environmental, social, and corporate governance (ESG) laws, potentially influencing the assessment of competition law infringements. As the digital landscape evolves, delineating fields that regulate significant parameters of competition becomes a critical consideration.
DELTA Data Protection & Compliance Academy & Consulting – info@delta-compliance.com
