Meta, DMA, and AI: Cologne Court Rejects Injunction – What Now?

Some weeks ago, the Hig­her Regio­nal Court of Colo­gne (OLG Köln) rejec­ted an appli­ca­ti­on for an inte­rim injunc­tion see­king to pro­hi­bit Meta from using Face­book and Insta­gram data for AI trai­ning start­ing 27 May 2025. As a result, Meta may pro­ceed with its plans, at least for now. A ruling on the merits is still pen­ding. Legal com­men­ta­tor David Wasi­lew­ski has out­lined fur­ther con­text at Legal Tri­bu­ne Online.

Let us first review what can be infer­red from the court’s reaso­ning — based on the press release, and then exami­ne the case through the lens of three key pro­vi­si­ons of the Digi­tal Mar­kets Act (DMA).

Narrow Understanding of Article 5(2) DMA by the Court

Accor­ding to the press release, the Colo­gne court based its decis­i­on pri­ma­ri­ly on data pro­tec­tion law, hol­ding that Meta has a legi­ti­ma­te inte­rest in using per­so­nal data for trai­ning AI sys­tems. This rea­ding has been stron­gly con­tes­ted, par­ti­cu­lar­ly by the Fede­ral Com­mis­sio­ner for Data Pro­tec­tion and Free­dom of Infor­ma­ti­on (BfDI), who con­siders the decis­i­on incorrect.

Strikin­gly, the court rejec­ted the argu­ment that Meta’s prac­ti­ce vio­la­tes Artic­le 5(2) DMA, which pro­hi­bits data com­bi­na­ti­on wit­hout con­sent. Based on the release, the court found that no “com­bi­na­ti­on” occur­red becau­se Meta alle­gedly did not mer­ge data­sets of the same indi­vi­du­al across ser­vices. The court fur­ther sta­ted that no rele­vant case law exists and that it was unable to con­sult the Euro­pean Commission.

This sug­gests the court inter­prets Artic­le 5(2) as requi­ring the mer­ging of iden­ti­fia­ble data rela­ted to the same user — i.e., com­bi­ning a data­set from Per­son A with ano­ther data­set from Per­son A. A com­bi­na­ti­on of data from Per­son A with data from Per­son X would not, in the court’s view, con­sti­tu­te a violation.

Howe­ver, this inter­pre­ta­ti­on is at odds with the text and pur­po­se of the DMA. The pro­vi­si­on refers to “per­so­nal data” wit­hout requi­ring that it be lin­ked to the same indi­vi­du­al. The objec­ti­ve of the DMA is to pre­vent gate­kee­pers from amas­sing vast, uncha­l­len­geable data tro­ves. The pro­hi­bi­ti­on the­r­e­fo­re extends to any cross-ser­vice com­bi­na­ti­on of per­so­nal data, regard­less of whe­ther it rela­tes to the same user.

The court’s refu­sal to address this is not excu­sed by the lack of pre­ce­dent. On the con­tra­ry, it should have pro­vi­ded a reaso­ned inter­pre­ta­ti­on of the pro­vi­si­on in light of its wor­ding and regu­la­to­ry purpose.

Three Further Provisions the Court Overlooked

Bey­ond Artic­le 5(2), the court negle­c­ted three core prin­ci­ples embedded in the DMA. A cur­so­ry rea­ding of Artic­le 13 DMA would have made this apparent.

Cla­ri­fi­ca­ti­on: The fol­lo­wing argu­ments rela­te only to the DMA and app­ly exclu­si­ve­ly to desi­gna­ted gate­kee­pers. They are not auto­ma­ti­cal­ly trans­fer­ra­ble to the GDPR, which appli­es more broadly.

1. Principle of Effectiveness

• Artic­le 13(3) DMA requi­res that gate­kee­pers ful­ly and effec­tively com­ply with Artic­les 5 – 7.
• Artic­le 8(1) DMA pro­vi­des that gate­kee­per com­pli­ance must effec­tively achie­ve the objec­ti­ves of the regu­la­ti­on and the spe­ci­fic obligation.

This moves bey­ond a purely tex­tu­al approach: the regu­la­to­ry objec­ti­ve must be ful­fil­led. This ali­gns with the pro­hi­bi­ti­on of mea­su­res having equi­va­lent effect, well estab­lished in com­pe­ti­ti­on law and ack­now­led­ged in the DMA’s recitals.

In this case, the court should have exami­ned whe­ther com­bi­ning per­so­nal data from various indi­vi­du­als across ser­vices has simi­lar com­pe­ti­ti­ve effects to com­bi­ning data about the same indi­vi­du­al. Argu­ab­ly, the broa­der com­bi­na­ti­on is even more harmful — it gives the gate­kee­per access to richer, more diver­se data­sets that com­pe­ti­tors can­not replicate.

2. Anti-Circumvention Rule

• Artic­le 13(4) DMA pro­hi­bits gate­kee­pers from enga­ging in any beha­viour — con­trac­tu­al, com­mer­cial, tech­ni­cal, or other­wi­se — that under­mi­nes com­pli­ance with Artic­les 5 – 7.
• Inter­face design, defaults, and nud­ging stra­te­gies are expli­cit­ly covered.

The court fai­led to con­sider whe­ther Meta’s opt-out solu­ti­on cir­cum­vents the opt-in requi­re­ment under Artic­le 5(2). Meta aims to steer users away from acti­ve con­sent, pre­fer­ring pas­si­ve accep­tance. Such design choices may under­mi­ne the obli­ga­ti­on by sub­sti­tu­ting de fac­to acquie­s­cence for genui­ne, infor­med consent.

3. Prohibition of Undue Friction and Manipulation

• Artic­le 13(6) DMA pro­hi­bits gate­kee­pers from exces­si­ve­ly hin­de­ring users in exer­cis­ing their rights under the DMA.
• This includes mani­pu­la­ti­on of auto­no­my and choice through inter­face design, func­tion, or inter­ac­tion flow.

Whe­re users have a right to con­sent, as in Artic­le 5(2), the inter­face must not dis­em­power them. An opt-out model, by design, depri­ves users of agen­cy. Meta’s inter­face may the­r­e­fo­re vio­la­te Artic­le 13(6) by struc­tu­ral­ly rest­ric­ting users’ con­trol over their per­so­nal data.

Repeat Infringements and Escalating Fines

The Com­mis­si­on may now initia­te non-com­pli­ance pro­cee­dings against Meta under Artic­le 29 DMA. Such pro­cee­dings are also per­mit­ted for cir­cum­ven­ti­on stra­te­gies under Artic­le 13(7).

This would not be the first time: the Com­mis­si­on has alre­a­dy issued a non-com­pli­ance decis­i­on against Meta for brea­ching Artic­le 5(2) DMA. A repeat or simi­lar vio­la­ti­on within eight years could trig­ger enhan­ced pen­al­ties. Under Artic­le 30(2) DMA, fines of up to 20% of glo­bal annu­al tur­no­ver may be imposed.

Structural Remedies and Reversibility

The appli­ca­ti­on for inte­rim reli­ef was based on the argu­ment that Meta is crea­ting irrever­si­ble facts. Once data has been used to train an AI model, tech­ni­cal roll­back may be impos­si­ble. The court rejec­ted the injunc­tion, but the main pro­cee­dings are still pending.

Even if no inte­rim order is issued, the Com­mis­si­on can intervene:

• Non-com­pli­ance decis­i­ons may include orders to cea­se or rever­se spe­ci­fic behaviour.
• In the con­text of AI trai­ning, the Com­mis­si­on may test whe­ther data dele­ti­on is tech­ni­cal­ly fea­si­ble. If not, it may con­sider retro­s­pec­ti­ve sepa­ra­ti­on of models.

If vio­la­ti­ons per­sist, the Com­mis­si­on may also resort to struc­tu­ral reme­dies under Artic­le 18 DMA. After three non-com­pli­ance decis­i­ons in eight years, it may initia­te a mar­ket inves­ti­ga­ti­on into sys­te­ma­tic non-compliance.

This can result in bin­ding decis­i­ons requiring:

• Struc­tu­ral separation
• Dives­ti­tu­re obligations
• Open-access man­da­tes

While such mea­su­res may not rever­se past inf­rin­ge­ments, they would neu­tra­li­se Meta’s com­pe­ti­ti­ve advan­ta­ge and res­to­re a level play­ing field through reme­di­al obli­ga­ti­ons tied to data governance.

Conclusion

The Colo­gne court’s approach rai­ses serious con­cerns regar­ding the inter­pre­ta­ti­on and enforce­ment of the DMA. The reaso­ning sug­gests a nar­row, over­ly tex­tu­al rea­ding of key pro­vi­si­ons that fails to reflect the regu­la­to­ry logic behind the new digi­tal regime.

The Com­mis­si­on reta­ins wide powers to ensu­re com­pli­ance, deter­rence, and pro­por­tio­na­li­ty. Busi­nesses and affec­ted stake­hol­ders should prepa­re for pro­lon­ged regu­la­to­ry dis­pu­tes, with pri­va­te enforce­ment and struc­tu­ral reme­dies likely to gain prominence.