The Advocate general at the ECJ has no fundamental objections to the fact that a competition authority indirectly examines provisions of the GDPR when applying the prohibition of abuse of market power under competition law. That concerns the first and seventh questions referred.
A processing of sensitive personal data already exists with the mere input of data by a user, if this data is linked to the user account of the social network and used, provided that this data, either individually or aggregated, enables the creation of a user profile with categories resulting from sensitive personal data. The mere entry of the data or the leaving of it on websites or apps by the user does not constitute an obvious publicity. This concerns the second question referred.
With regard to the further individual questions on the interpretation of the GDPR, the Advocate general expresses doubts as to whether these are admissible questions for reference, since they do not concern the interpretation but the application to the specific case. It summarises the third and fifth questions referred. In any event, the respective exceptions for each data processing arrangement would have to be examined in detail by the referring court.
Finally, the Advocate general considers that the mere fact of a dominant position of an undertaking does not militate against the effectiveness of consent given to it. However, the dominant undertaking must prove that the consent was voluntary. In doing so, an obvious imbalance of power must be taken into account. That concerns the sixth question referred.
The first question referred for a preliminary ruling
The first question referred relates to the fundamental competence of the competition authority and whether that competence may be excluded in the specific situation.
The Advocate general reads the question referred for a preliminary ruling as referring to a direct decision on an infringement of the data processing provisions of the GDPR. However, the contested decision of the BKartA does not punish a violation of the GDPR, but only an abuse of market power. Thus, only an antitrust review is carried out, in which the authority has used, among other things, the incompatibility of the company’s conduct with the provisions of the GDPR. A question of jurisdiction cannot arise simply because the GDPR provides for a harmonised enforcement mechanism on the basis of which only the data protection authorities are competent. A decision of a competition authority with an incidental examination cannot interfere with that competence.
However, since the first sub-question concerns a direct decision of the competition authority ordering the cessation of an infringement of the GDPR, it is ineffective. The second sub-question relates to the possibilities for prosecuting possible data protection violations and is also ineffective.
The seventh question referred for a preliminary ruling
The seventh question referred relates to the substantive possibility of establishing GDPR infringements in the prosecution of infringements of competition law. At the same time, it includes questions regarding consideration for data protection authorities that deal directly with the GDPR violations.
Basically permissible incidental review of the GDPR
In this regard, the Advocate General first notes that the GDPR does not confer any power on the competition authority to establish an infringement. However, the GDPR does not exclude an incidental consideration in the examination of the prohibition of abuse. By incidental, the Advocate General means an indirect examination in the context of the actual application of the antitrust provisions. This should not be ruled out, otherwise the effective application of competition law would be called into question. And although the examination is carried out incidentally, it could, in the context of regular judicial protection, once again lead to questions on interpretation.
Different protective purposes and indicative effect of the GDPR violation
The incompatibility of conduct with the GDPR could therefore be an important indication for determining whether conduct still constitutes the use of means of normal competition. This corresponds to the case law of the BGH, which had already spoken of an indicative effect, but not a condition. However, the Advocate General makes it clear that the abusiveness or its absence does not result from compatibility or incompatibility with the GDPR or other provisions outside competition law. It is made more specific in footnote 18, according to which it is obvious that conduct concerning data processing may constitute an infringement of competition law even if it is compatible with the GDPR and, conversely, conduct unlawful within the meaning of the GDPR does not necessarily lead to the conclusion that it infringes competition law. . It therefore depends on an examination of antitrust law alone. The same footnote also states that an exclusive link between the abuse test and a GDPR infringement could jeopardise the objective of protecting competition. This statement is very helpful because it clarifies the different protective purposes of competition law on the one hand and data protection law on the other, with the former potentially broader. This is made clear again by the Advocate General in footnote 21, according to which the interpretation of the GDPR by the competition authority is carried out solely for the purposes of the competition law provision. These are therefore different infringements which can be examined by the respective competent authorities. It is pleasing to see the clarification at the end that there can be no violation of the ne bis in idem principle because of these different subjects.
Risk of non-uniform interpretation of the GDPR
The Advocate General then devotes himself in great detail to the problem behind the question referred for a preliminary ruling, namely that a competition authority – which is not responsible for the enforcement of the GDPR – interprets the GDPR provisions in its incidental examination and thus there is a risk of a non-uniform interpretation. That risk is inherent in any area governed by sector-specific rules which the competition authority must or may take into account when assessing the admissibility of a particular conduct under competition law. A clear provision is not contained in EU law, neither in the GDPR nor in the implementing regulation relevant to competition law. Therefore, the principle of sincere cooperation under Article 4(3) TEU is relevant. In applying EU law, the competition authority is bound by the principle of sound administration as a general principle. This results in a comprehensive duty of care and care on the part of the national authorities. From this, the Advocate General derives information, information and cooperation obligations towards competent authorities in the interpretation of the GDPR, taking into account equivalence and effectiveness. This could even run in principle analogous to the procedural provisions of the GDPR, whereby these would have to be adapted accordingly and no draft decision would have to be submitted.
Specifically, for the Advocate General, it follows from these requirements that a competition authority may not deviate from the statements of the competent lead supervisory authority on the application of certain GDPR provisions with regard to the same or similar conduct and must coordinate with it. There is still room for manoeuvre in the evaluation of what is the same or similar behaviour. Because not every alleged violation should be covered. Otherwise, the effectiveness of competition law enforcement would be impaired. On the other hand, a vote can serve precisely this purpose, namely to dispel doubts between the authorities about it. Moreover, the Advocate General’s statements do not mean that the competition authority may not act, but only that it must coordinate. In the opinion of the Advocate General, coordination with the respective national supervisory authority is sufficient because of the comprehensive system of cooperation in data protection law.
For the purposes of the main proceedings, the Advocate General considers that the BKartA’s due diligence obligations have been fulfilled. There had been a consultation with the national data protection authority pursuant to § 50f GWB and also an informal contact with the Irish data protection authority. In addition, they have confirmed that they have not currently initiated any proceedings in relation to the subject-matter.
The second question referred for a preliminary ruling
The second question referred concerns, first, the classification of data by accessing third-party websites and apps and whether this already involves the processing of sensitive personal data. Secondly, it is asked whether the mere submission already constitutes a public making.
In this regard, the Advocate General first refers to recital 51 GDPR, according to which the processing of sensitive personal data may entail significant risks to fundamental rights and freedoms. Moreover, no distinction is made between data which is sensitive because it gives rise to a particular situation and sensitive data by its very nature. Nor is it possible to distinguish whether a request is made either out of a mere interest in a particular piece of information or because of the data subject’s own belonging to one of the categories covered. It therefore always depends on the circumstances of the individual case.
Ability to profile
The decisive criterion for the application of Article 9(1) GDPR is whether the processed data enable the creation of a user profile with regard to the categories resulting from the enumeration of sensitive personal data.
For the Advocate General, the decisive factor here is the consideration that an undertaking such as Meta has it in its own hands to prevent the classification as sensitive personal data by the way in which it is processed and thus not to be subject to the stricter rules. This would avoid the situation that Meta also fears, namely that the company violates the GDPR by default because it cannot prevent it from obtaining information by automated means that is suitable for establishing such an indirect reference. In other words, the categorization by the person responsible comes about. It does not have to be true, since the classification made at all entails dangers for fundamental rights and freedoms. Likewise, the knowledge or intention for processing by the controller is not required.
No obvious publicity when just entering
The second sub-question relates to an exception. If sensitive personal data are already known to the public, there is no longer any need for special protection of the data subject. Since this is an exception to the strict prohibition rules, the Advocate General requires a particularly strict interpretation. The user must have a full awareness of the disclosure of the information and take an explicit action, which is very close to consent.
A mere appeal is not enough for this. The mere page query gives the data solely to the operator, not to the public. A will to disclose to the general public cannot be inferred from this. In addition, the Advocate General refers to Art. 5 para. 2 GDPR and the resulting burden of proof for the controller with regard to the circumstances justifying the lawfulness of the data processing. Finally, no consent on the basis of the Cookie Directive is sufficient, since it pursues a specific purpose and does not concern the processing of sensitive personal data. An equation with the will to make public cannot be inferred from such consent.
The third, fourth and fifth questions referred for a preliminary ruling
Some questions concern specific processing situations by the Meta-Group. In the present case, the Advocate General considers that the conditions for a question referred for a preliminary ruling are not satisfied, since they relate only to the application and not to the interpretation and, moreover, the doubts as to the interpretation of the specific case by the referring court have not been set out. Nevertheless, the Advocate General also provides answers here.
First of all, he also refers here to Article 5 (2) GDPR and the resulting burden of proof on the controller. In accordance with Article 13 (1 ) (c) GDPR, the controller must indicate the legitimate interests pursued . This also includes an indication of which processing operation is based on which legitimate interest.
If, subsequently, the interpretation of the criterion ‘necessity’ is concerned, that is to be understood as an objective necessity. It is not sufficient that the data processing takes place only during the fulfillment of the contract, is mentioned in the contract or is only useful for the fulfillment. Instead, there must be no realistic and less drastic solutions. The processing must be an integral part of the contractual service and appreciate the suitable view of the data subject. If there were several services, all of them would have to be checked in isolation for their necessity. This means, for example, for the platform-based connection of several user groups, that an independent necessity check must be carried out with regard to each group.
Need for personalization
Meta’s main argument for merging the data has always been that it served a personalized user experience. From a legal point of view, this argument must now be reconciled with the condition whether this service can also justify the necessity. The Advocate General asks the rhetorical question of what degree of personalisation the user can expect. Because this argument alone could not be used to justify any improvement. Any merger with somehow increased personalization would then be captured. Then, with this argument alone, a platform could undermine any other legal basis, simply because it dedicates its business model accordingly.
The Advocate General also goes in the same direction, who considers consent to be necessary for the connection of data located outside the platform. But then this is also a priority and cannot be undermined. In addition, separate consent must be given to different processing operations. In addition, the Advocate General sees the non-personalized, chronological display of the newsfeed as a sufficient alternative, so that personalization is not necessary.
Necessity for the consistent and seamless use of the Group’s own services
In principle, the Advocate General also sees the combination of services as useful or sometimes even desirable. However, there is a separate contract for each service, for the purpose of which the data processing takes place. An independent necessity cannot be derived from this and it is more expedient to leave the choice to the user here. Since it is not sufficient that processing is merely of benefit to the controller, no necessity can be seen. Product improvement is also more in the interest of the user than of the person responsible and therefore does not represent his legitimate interest.
In any event, the referring court must examine the various legal bases.
The sixth question for a preliminary ruling
The last question dealt with concerns the effects of an antitrust investigation on the data protection assessment of consent. This must be voluntary. This is sometimes flatly rejected with reference to the market power of a company. According to recital 42 GDPR, criteria for the involuntary nature of consent are that the data subject has no real or free choice or cannot refuse or withdraw his consent. The controller must provide proof of the legality of the consent.
In the Advocate General’s view, market power alone does not preclude the validity of consent. However, it can describe an unequal balance of power between the person responsible and the person concerned. If this is obvious, the voluntary nature of consent may be questionable in the specific case. However, the controller can also prove that he has obtained consent on a voluntary basis.