The Advocate General at the ECJ has no general objections to a competition authority incidentally examining provisions of the GDPR when applying the prohibition of abuse of market power under competition law. In doing so, the competition authority should inform any competent data protection authority, consult with it and, if applicable, take into account existing decisions on the application of data protection law. This concerns the first and seventh questions referred by the OLG Düsseldorf. If the ECJ were to agree with this assessment, a weighty question would be settled. In particular, there is no blocking effect by the GDPR, as is occasionally argued. The Advocate General also considers the coordination of the FCO with the data protection authorities to be sufficiently fulfilled in factual terms.
A processing of sensitive personal data is already present in the case of mere input of data by a user if this data is linked to the user account of the social network and used, provided that this data, either considered individually or aggregated, enables the creation of a user profile with categories resulting from sensitive personal data. The mere entry of the data or leaving them on websites or apps by the user does not constitute an obvious act of disclosure. This concerns the second question referred.
With regard to the further individual questions on the interpretation of the GDPR, the Advocate General expresses doubts as to whether they are admissible questions for a preliminary ruling, as they do not concern the interpretation, but the application to the specific case. He summarises the third and fifth questions referred. In any case, the respective exceptions for each data processing modality would have to be examined in detail by the referring court.
Finally, the Advocate General is of the opinion that the mere fact of a dominant position of an undertaking does not militate against the effectiveness of a consent given to it. However, the dominant undertaking would have to prove that the consent was given voluntarily. In doing so, an obvious imbalance of power must be taken into account. This concerns the sixth question referred.
The full text of the opinion is available online here. Disclaimer: I am also representing the party Verbraucherzentrale Bundesverband e.V. in these proceedings before the ECJ.
On the first question referred for a preliminary ruling
The first question referred for a preliminary ruling relates to the fundamental jurisdiction of the competition authority and whether it can be excluded in the specific situation.
The Advocate General reads the question referred as referring to a direct decision on a breach of data processing provisions of the GDPR. However, the contested decision of the BKartA does not punish a violation of the GDPR, but only an abuse of market power. Thus, only an examination under cartel law is carried out, in which the authority has taken into account, among other things, the incompatibility of the company’s conduct with the provisions of the GDPR. A question of jurisdiction could not arise because the GDPR provides for a harmonised enforcement mechanism, on the basis of which only the data protection authorities are competent. A decision of a competition authority with incidental review cannot interfere with this competence.
However, since the first sub-question concerns a direct decision by the competition authority ordering the cessation of a GDPR infringement, it is irrelevant. The second sub-question relates to the possibilities of prosecuting any data protection infringements and is also irrelevant.
On the seventh question referred for a preliminary ruling
The seventh question for a preliminary ruling relates to the substantive law possibility of an incidental finding of GDPR infringements in the prosecution of competition law infringements. At the same time, it includes questions on the consideration of data protection authorities that directly deal with the GDPR infringements.
Incidental review of the GDPR permissible in principle
In this regard, the Advocate General first notes that the GDPR does not grant the competition authority any power to determine an infringement. However, the GDPR does not exclude an incidential consideration in the examination of the prohibition of abuse. By incidental, the Advocate General means an indirect examination in the context of the actual application of the antitrust provisions. This may not be excluded, as otherwise the effective application of competition law would be called into question. And although the examination is incidental, it could again lead to questions of interpretation in the context of regular judicial protection.
Different protective purposes and indicative effect of the GDPR infringement
The incompatibility of a conduct with the GDPR could thus be an important indication for determining whether a conduct still constitutes the use of means of normal competition. This is in line with the case law of the BGH, which had also already spoken of an indicative effect, but not a condition. However, the Advocate General makes it clear that the unfairness or lack thereof does not result from compatibility or incompatibility with the GDPR or other provisions outside competition law. He becomes more specific in footnote 18, according to which it is clear that conduct relating to data processing may constitute an infringement of competition law even if it is compatible with the GDPR and that, conversely, conduct that is unlawful within the meaning of the GDPR does not necessarily indicate that it infringes competition law. It therefore comes down to an examination under antitrust law alone. Furthermore, the same footnote states that linking the abuse test exclusively to a GDPR violation could jeopardise the objective of competition protection. This statement is very helpful as it clarifies the different protective purposes of competition law on the one hand and data protection law on the other, with the former being potentially broader. This is again clarified by the Advocate General in footnote 21, according to which the interpretation of the GDPR by the competition authority is solely for purposes of the competition law provision. These are therefore different infringements that can be examined by the respective competent authorities. The clarification at the end that there cannot be a violation of the ne bis in idem principle because of these different subjects is pleasing.
Risk of a non-uniform interpretation of the GDPR
The Advocate General then deals at some length with the problem behind the question referred for a preliminary ruling, namely that a competition authority — which is not responsible for enforcing the GDPR — interprets the GDPR provisions in the course of its inconsistent examination and thus runs the risk of a non-uniform interpretation. This risk is inherent in any area regulated by sector-specific rules which the competition authority must or may take into account when assessing the admissibility of a particular conduct under competition law. Union law does not contain a clear rule in this regard, neither in the GDPR nor in the implementing regulation relevant for competition law. Therefore, the principle of loyal cooperation according to Article 4 (3) TEU is relevant. The competition authority is bound by the principle of good administration as a general principle when applying Union law. This gives rise to a comprehensive duty of care and diligence on the part of the national authorities. From this, the Advocate General derives duties of information, disclosure and cooperation vis-à-vis competent authorities when interpreting the GDPR, taking into account equivalence and effectiveness. This could even be analogous in principle to the procedural provisions of the GDPR, whereby these would have to be adapted accordingly and no draft decision would have to be submitted.
In concrete terms, it follows for the Advocate General from these requirements that a competition authority may not deviate from the statements of the competent lead supervisory authority on the application of certain GDPR provisions with regard to the same or similar conduct and must coordinate with the latter. There is still room for manoeuvre in the assessment of what constitutes identical or similar conduct. This is because not every reported violation is likely to be covered. Otherwise, the effectiveness of the enforcement of competition law would be impaired. On the other hand, coordination can serve precisely this purpose, namely to dispel doubts between the authorities about this. Moreover, the statements of the Advocate General do not mean that the competition authority may not act, but only that it must coordinate. According to the Advocate General, coordination with the respective national supervisory authority is sufficient because of the comprehensive system of cooperation in data protection law.
For the original proceedings, the Advocate General considers the due diligence obligations of the FCO to be fulfilled. There had been coordination pursuant to Section 50f GWB with the national data protection authority and informal contact with the Irish data protection authority. In addition, they had confirmed that they had not initiated any proceedings in relation to the subject matter.
On the second question referred for a preliminary ruling
The second question referred concerns, firstly, the classification of data by calling up websites and apps of third parties and whether this already constitutes the processing of sensitive personal data. Secondly, the Advocate General asks whether the mere entry of data already constitutes making it public.
The Advocate General first refers to recital 51 of the GDPR, according to which the processing of sensitive personal data may entail significant risks for fundamental rights and freedoms. Moreover, no distinction is made between data that are sensitive because they reveal a specific situation and data that are sensitive by nature. It is also not possible to distinguish whether a request is made either out of mere interest in a particular piece of information or because of the data subject’s own membership of one of the categories covered. It therefore always depends on the circumstances of the individual case.
Possibility of profiling
The decisive criterion for the application of Art. 9(1) GDPR is whether the processed data enable the creation of a user profile with regard to the categories resulting from the enumeration of sensitive personal data.
Decisive for the Advocate General is the consideration that a company such as Meta has it in its own hands to prevent the classification as sensitive personal data by the nature of its processing and thus not to be subject to the stricter regulations. This would avoid the situation that Meta also fears, namely that the company violates the GDPR by default because it cannot prevent obtaining information by automated means that is capable of establishing such an indirect link. In other words, the categorisation is made by the controller. It does not have to be true, since even the categorisation made at all poses risks to fundamental rights and freedoms. Similarly, knowledge or intention to process by the controller is not required.
No obvious public disclosure in the case of mere input
The second sub-question relates to an exception. Namely, if sensitive personal data are already known to the public, there is no longer a need for special protection of the data subject. Since this is an exception to the strict prohibition rules, the Advocate General demands a particularly strict interpretation. The user must have full awareness of the disclosure of the information and take an explicit action, which comes very close to consent.
A mere call was not sufficient for this. A mere page query only discloses the data to the operator, not to the public. An intention to disclose the data to the general public could not be inferred from this. In addition, the Advocate General referred to Article 5(2) of the GDPR and the resulting burden of proof for the controller with regard to the circumstances justifying the lawfulness of the data processing. Finally, consent on the basis of the Cookie Directive was not sufficient, as it pursued a specific purpose and did not concern the processing of sensitive personal data. An equation with the will to make public could not be inferred from such consent.
On the third, fourth and fifth questions referred for a preliminary ruling
Some questions concern specific processing situations by the Meta Group. The Advocate General does not consider the requirements for a question to be referred to be fulfilled here, as they only relate to the application and not the interpretation and, in addition, the doubts regarding the interpretation for the specific case have not been presented by the referring court. Nevertheless, the Advocate General also provides answers here.
First of all, he also refers to Article 5 (2) of the GDPR and the resulting burden of proof of the controller. According to Article 13(1)© of the GDPR, the controller must indicate the legitimate interests pursued. This also includes indicating which processing operation is based on which legitimate interest.
When it comes to the interpretation of the criterion of “necessity”, this is to be understood as an objective necessity. It is not sufficient that the data processing is only carried out in the performance of the contract, is mentioned in the contract or is only useful for the performance. Instead, there had to be no realistic and less intrusive solutions. The processing must be an integral part of the contractual service and must appreciate the reasonable view of the data subject. If there are multiple services, they must all be assessed in isolation as to their necessity. This means, for example, for the platform-based connection of several user groups, that an independent necessity test must be carried out for each group.
Necessity for personalisation
Meta’s main argument for merging data has always been that it served a personalised user experience. From a legal point of view, this argument must now be reconciled with the prerequisite of whether this service can also justify necessity. The Advocate General asks the rhetorical question of what degree of personalisation the user can expect. For this argument could not alone be used to justify any improvement. Any aggregation with a somehow increased personalisation would then be covered. A platform could then use this argument alone to undermine any other legal basis, simply because it dedicates its business model accordingly.
The Advocate General also goes in the same direction, considering consent to be necessary for the combination of data outside the platform. In that case, however, it would also take precedence and could not be undermined. In addition, consent must be given separately for different processing operations. In addition, the Advocate General sees the non-personalised, chronological display of the news feed as a sufficient alternative, so that personalisation is not necessary.
Necessity for the continuous and seamless use of the group’s own services.
In principle, the Advocate General also sees the connection of services as useful or sometimes even desirable. However, each service has its own contract for the purpose of which the data processing is carried out. An independent necessity could not be derived from this and it was more appropriate to leave the choice to the user here. Since it is not sufficient that a processing is merely of use to the controller, no necessity can be seen. Moreover, product improvement is in the interest of the user rather than the controller and therefore does not constitute his legitimate interest.
In any case, the referring court would have to examine the individual bases of lawfulness.
On the sixth question referred for a preliminary ruling
The last question dealt with concerns the effects of an investigation under cartel law on the assessment of consent under data protection law. Such consent must be given voluntarily. This is sometimes rejected across the board with reference to the market power of a company. According to recital 42 of the GDPR, the criteria for involuntary consent are that the data subject has no real or free choice or cannot refuse or withdraw consent. The controller must provide evidence of the lawfulness of the consent.
According to the Advocate General’s assessment, market power alone does not preclude the validity of consent. However, it may describe an unequal power relationship between the controller and the data subject. If this is obvious, the voluntariness of consent may be questionable in the specific case. However, the person responsible can also prove that he or she obtained consent on a voluntary basis.