Opinion of Advocate General Rantos on the German meta-case

The Advo­ca­te Gene­ral at the ECJ has no gene­ral objec­tions to a com­pe­ti­ti­on aut­ho­ri­ty inci­den­tal­ly exami­ning pro­vi­si­ons of the GDPR when app­ly­ing the pro­hi­bi­ti­on of abu­se of mar­ket power under com­pe­ti­ti­on law. In doing so, the com­pe­ti­ti­on aut­ho­ri­ty should inform any com­pe­tent data pro­tec­tion aut­ho­ri­ty, con­sult with it and, if appli­ca­ble, take into account exis­ting decis­i­ons on the appli­ca­ti­on of data pro­tec­tion law. This con­cerns the first and seventh ques­ti­ons refer­red by the OLG Düs­sel­dorf. If the ECJ were to agree with this assess­ment, a weigh­ty ques­ti­on would be sett­led. In par­ti­cu­lar, the­re is no blo­cking effect by the GDPR, as is occa­sio­nal­ly argued. The Advo­ca­te Gene­ral also con­siders the coor­di­na­ti­on of the FCO with the data pro­tec­tion aut­ho­ri­ties to be suf­fi­ci­ent­ly ful­fil­led in fac­tu­al terms.

A pro­ces­sing of sen­si­ti­ve per­so­nal data is alre­a­dy pre­sent in the case of mere input of data by a user if this data is lin­ked to the user account of the social net­work and used, pro­vi­ded that this data, eit­her con­side­red indi­vi­du­al­ly or aggre­ga­ted, enables the crea­ti­on of a user pro­fi­le with cate­go­ries resul­ting from sen­si­ti­ve per­so­nal data. The mere ent­ry of the data or lea­ving them on web­sites or apps by the user does not con­sti­tu­te an obvious act of dis­clo­sure. This con­cerns the second ques­ti­on referred.

With regard to the fur­ther indi­vi­du­al ques­ti­ons on the inter­pre­ta­ti­on of the GDPR, the Advo­ca­te Gene­ral expres­ses doubts as to whe­ther they are admis­si­ble ques­ti­ons for a preli­mi­na­ry ruling, as they do not con­cern the inter­pre­ta­ti­on, but the appli­ca­ti­on to the spe­ci­fic case. He sum­ma­ri­ses the third and fifth ques­ti­ons refer­red. In any case, the respec­ti­ve excep­ti­ons for each data pro­ces­sing moda­li­ty would have to be exami­ned in detail by the refer­ring court.

Final­ly, the Advo­ca­te Gene­ral is of the opi­ni­on that the mere fact of a domi­nant posi­ti­on of an under­ta­king does not mili­ta­te against the effec­ti­ve­ness of a con­sent given to it. Howe­ver, the domi­nant under­ta­king would have to pro­ve that the con­sent was given vol­un­t­a­ri­ly. In doing so, an obvious imba­lan­ce of power must be taken into account. This con­cerns the sixth ques­ti­on referred.

The full text of the opi­ni­on is available online here. Dis­clai­mer: I am also repre­sen­ting the par­ty Ver­brau­cher­zen­tra­le Bun­des­ver­band e.V. in the­se pro­cee­dings befo­re the ECJ.

Hei­ko Dün­kel (vzbv) and Sebas­ti­an Lou­ven (lou​ven​.legal)

Detailed analysis

On the first question referred for a preliminary ruling

The first ques­ti­on refer­red for a preli­mi­na­ry ruling rela­tes to the fun­da­men­tal juris­dic­tion of the com­pe­ti­ti­on aut­ho­ri­ty and whe­ther it can be excluded in the spe­ci­fic situation.

The Advo­ca­te Gene­ral reads the ques­ti­on refer­red as refer­ring to a direct decis­i­on on a breach of data pro­ces­sing pro­vi­si­ons of the GDPR. Howe­ver, the con­tes­ted decis­i­on of the BKar­tA does not punish a vio­la­ti­on of the GDPR, but only an abu­se of mar­ket power. Thus, only an exami­na­ti­on under car­tel law is car­ri­ed out, in which the aut­ho­ri­ty has taken into account, among other things, the incom­pa­ti­bi­li­ty of the com­pany’s con­duct with the pro­vi­si­ons of the GDPR. A ques­ti­on of juris­dic­tion could not ari­se becau­se the GDPR pro­vi­des for a har­mo­nis­ed enforce­ment mecha­nism, on the basis of which only the data pro­tec­tion aut­ho­ri­ties are com­pe­tent. A decis­i­on of a com­pe­ti­ti­on aut­ho­ri­ty with inci­den­tal review can­not inter­fe­re with this competence.

Howe­ver, sin­ce the first sub-ques­ti­on con­cerns a direct decis­i­on by the com­pe­ti­ti­on aut­ho­ri­ty orde­ring the ces­sa­ti­on of a GDPR inf­rin­ge­ment, it is irrele­vant. The second sub-ques­ti­on rela­tes to the pos­si­bi­li­ties of pro­se­cu­ting any data pro­tec­tion inf­rin­ge­ments and is also irrelevant.

On the seventh question referred for a preliminary ruling

The seventh ques­ti­on for a preli­mi­na­ry ruling rela­tes to the sub­stan­ti­ve law pos­si­bi­li­ty of an inci­den­tal fin­ding of GDPR inf­rin­ge­ments in the pro­se­cu­ti­on of com­pe­ti­ti­on law inf­rin­ge­ments. At the same time, it includes ques­ti­ons on the con­side­ra­ti­on of data pro­tec­tion aut­ho­ri­ties that direct­ly deal with the GDPR infringements.

Incidental review of the GDPR permissible in principle

In this regard, the Advo­ca­te Gene­ral first notes that the GDPR does not grant the com­pe­ti­ti­on aut­ho­ri­ty any power to deter­mi­ne an inf­rin­ge­ment. Howe­ver, the GDPR does not exclude an inci­den­ti­al con­side­ra­ti­on in the exami­na­ti­on of the pro­hi­bi­ti­on of abu­se. By inci­den­tal, the Advo­ca­te Gene­ral means an indi­rect exami­na­ti­on in the con­text of the actu­al appli­ca­ti­on of the anti­trust pro­vi­si­ons. This may not be excluded, as other­wi­se the effec­ti­ve appli­ca­ti­on of com­pe­ti­ti­on law would be cal­led into ques­ti­on. And alt­hough the exami­na­ti­on is inci­den­tal, it could again lead to ques­ti­ons of inter­pre­ta­ti­on in the con­text of regu­lar judi­cial protection.

Different protective purposes and indicative effect of the GDPR infringement

The incom­pa­ti­bi­li­ty of a con­duct with the GDPR could thus be an important indi­ca­ti­on for deter­mi­ning whe­ther a con­duct still con­sti­tu­tes the use of means of nor­mal com­pe­ti­ti­on. This is in line with the case law of the BGH, which had also alre­a­dy spo­ken of an indi­ca­ti­ve effect, but not a con­di­ti­on. Howe­ver, the Advo­ca­te Gene­ral makes it clear that the unfair­ness or lack the­reof does not result from com­pa­ti­bi­li­ty or incom­pa­ti­bi­li­ty with the GDPR or other pro­vi­si­ons out­side com­pe­ti­ti­on law. He beco­mes more spe­ci­fic in foot­no­te 18, accor­ding to which it is clear that con­duct rela­ting to data pro­ces­sing may con­sti­tu­te an inf­rin­ge­ment of com­pe­ti­ti­on law even if it is com­pa­ti­ble with the GDPR and that, con­ver­se­ly, con­duct that is unlawful within the mea­ning of the GDPR does not neces­s­a­ri­ly indi­ca­te that it inf­rin­ges com­pe­ti­ti­on law. It the­r­e­fo­re comes down to an exami­na­ti­on under anti­trust law alo­ne. Fur­ther­mo­re, the same foot­no­te sta­tes that lin­king the abu­se test exclu­si­ve­ly to a GDPR vio­la­ti­on could jeo­par­di­se the objec­ti­ve of com­pe­ti­ti­on pro­tec­tion. This state­ment is very hel­pful as it cla­ri­fies the dif­fe­rent pro­tec­ti­ve pur­po­ses of com­pe­ti­ti­on law on the one hand and data pro­tec­tion law on the other, with the for­mer being poten­ti­al­ly broa­der. This is again cla­ri­fied by the Advo­ca­te Gene­ral in foot­no­te 21, accor­ding to which the inter­pre­ta­ti­on of the GDPR by the com­pe­ti­ti­on aut­ho­ri­ty is sole­ly for pur­po­ses of the com­pe­ti­ti­on law pro­vi­si­on. The­se are the­r­e­fo­re dif­fe­rent inf­rin­ge­ments that can be exami­ned by the respec­ti­ve com­pe­tent aut­ho­ri­ties. The cla­ri­fi­ca­ti­on at the end that the­re can­not be a vio­la­ti­on of the ne bis in idem prin­ci­ple becau­se of the­se dif­fe­rent sub­jects is pleasing.

Risk of a non-uniform interpretation of the GDPR

The Advo­ca­te Gene­ral then deals at some length with the pro­blem behind the ques­ti­on refer­red for a preli­mi­na­ry ruling, name­ly that a com­pe­ti­ti­on aut­ho­ri­ty — which is not respon­si­ble for enfor­cing the GDPR — inter­prets the GDPR pro­vi­si­ons in the cour­se of its incon­sis­tent exami­na­ti­on and thus runs the risk of a non-uni­form inter­pre­ta­ti­on. This risk is inher­ent in any area regu­la­ted by sec­tor-spe­ci­fic rules which the com­pe­ti­ti­on aut­ho­ri­ty must or may take into account when asses­sing the admis­si­bi­li­ty of a par­ti­cu­lar con­duct under com­pe­ti­ti­on law. Uni­on law does not con­tain a clear rule in this regard, neither in the GDPR nor in the imple­men­ting regu­la­ti­on rele­vant for com­pe­ti­ti­on law. The­r­e­fo­re, the prin­ci­ple of loy­al coope­ra­ti­on accor­ding to Artic­le 4 (3) TEU is rele­vant. The com­pe­ti­ti­on aut­ho­ri­ty is bound by the prin­ci­ple of good admi­nis­tra­ti­on as a gene­ral prin­ci­ple when app­ly­ing Uni­on law. This gives rise to a com­pre­hen­si­ve duty of care and dili­gence on the part of the natio­nal aut­ho­ri­ties. From this, the Advo­ca­te Gene­ral deri­ves duties of infor­ma­ti­on, dis­clo­sure and coope­ra­ti­on vis-à-vis com­pe­tent aut­ho­ri­ties when inter­pre­ting the GDPR, taking into account equi­va­lence and effec­ti­ve­ness. This could even be ana­log­ous in prin­ci­ple to the pro­ce­du­ral pro­vi­si­ons of the GDPR, wher­eby the­se would have to be adapt­ed accor­din­gly and no draft decis­i­on would have to be submitted.

In con­cre­te terms, it fol­lows for the Advo­ca­te Gene­ral from the­se requi­re­ments that a com­pe­ti­ti­on aut­ho­ri­ty may not devia­te from the state­ments of the com­pe­tent lead super­vi­so­ry aut­ho­ri­ty on the appli­ca­ti­on of cer­tain GDPR pro­vi­si­ons with regard to the same or simi­lar con­duct and must coor­di­na­te with the lat­ter. The­re is still room for mano­eu­vre in the assess­ment of what con­sti­tu­tes iden­ti­cal or simi­lar con­duct. This is becau­se not every repor­ted vio­la­ti­on is likely to be cover­ed. Other­wi­se, the effec­ti­ve­ness of the enforce­ment of com­pe­ti­ti­on law would be impai­red. On the other hand, coor­di­na­ti­on can ser­ve pre­cis­e­ly this pur­po­se, name­ly to dis­pel doubts bet­ween the aut­ho­ri­ties about this. Moreo­ver, the state­ments of the Advo­ca­te Gene­ral do not mean that the com­pe­ti­ti­on aut­ho­ri­ty may not act, but only that it must coor­di­na­te. Accor­ding to the Advo­ca­te Gene­ral, coor­di­na­ti­on with the respec­ti­ve natio­nal super­vi­so­ry aut­ho­ri­ty is suf­fi­ci­ent becau­se of the com­pre­hen­si­ve sys­tem of coope­ra­ti­on in data pro­tec­tion law.

For the ori­gi­nal pro­cee­dings, the Advo­ca­te Gene­ral con­siders the due dili­gence obli­ga­ti­ons of the FCO to be ful­fil­led. The­re had been coor­di­na­ti­on pur­su­ant to Sec­tion 50f GWB with the natio­nal data pro­tec­tion aut­ho­ri­ty and infor­mal cont­act with the Irish data pro­tec­tion aut­ho­ri­ty. In addi­ti­on, they had con­firm­ed that they had not initia­ted any pro­cee­dings in rela­ti­on to the sub­ject matter.

Befo­re the hea­rings; C‑252/21

On the second question referred for a preliminary ruling

The second ques­ti­on refer­red con­cerns, first­ly, the clas­si­fi­ca­ti­on of data by cal­ling up web­sites and apps of third par­ties and whe­ther this alre­a­dy con­sti­tu­tes the pro­ces­sing of sen­si­ti­ve per­so­nal data. Second­ly, the Advo­ca­te Gene­ral asks whe­ther the mere ent­ry of data alre­a­dy con­sti­tu­tes making it public.

The Advo­ca­te Gene­ral first refers to reci­tal 51 of the GDPR, accor­ding to which the pro­ces­sing of sen­si­ti­ve per­so­nal data may ent­ail signi­fi­cant risks for fun­da­men­tal rights and free­doms. Moreo­ver, no distinc­tion is made bet­ween data that are sen­si­ti­ve becau­se they reve­al a spe­ci­fic situa­ti­on and data that are sen­si­ti­ve by natu­re. It is also not pos­si­ble to distin­gu­ish whe­ther a request is made eit­her out of mere inte­rest in a par­ti­cu­lar pie­ce of infor­ma­ti­on or becau­se of the data sub­jec­t’s own mem­ber­ship of one of the cate­go­ries cover­ed. It the­r­e­fo­re always depends on the cir­cum­s­tances of the indi­vi­du­al case.

Possibility of profiling

The decisi­ve cri­ter­ion for the appli­ca­ti­on of Art. 9(1) GDPR is whe­ther the pro­ces­sed data enable the crea­ti­on of a user pro­fi­le with regard to the cate­go­ries resul­ting from the enu­me­ra­ti­on of sen­si­ti­ve per­so­nal data.

Decisi­ve for the Advo­ca­te Gene­ral is the con­side­ra­ti­on that a com­pa­ny such as Meta has it in its own hands to pre­vent the clas­si­fi­ca­ti­on as sen­si­ti­ve per­so­nal data by the natu­re of its pro­ces­sing and thus not to be sub­ject to the stric­ter regu­la­ti­ons. This would avo­id the situa­ti­on that Meta also fears, name­ly that the com­pa­ny vio­la­tes the GDPR by default becau­se it can­not pre­vent obtai­ning infor­ma­ti­on by auto­ma­ted means that is capa­ble of estab­li­shing such an indi­rect link. In other words, the cate­go­ri­sa­ti­on is made by the con­trol­ler. It does not have to be true, sin­ce even the cate­go­ri­sa­ti­on made at all poses risks to fun­da­men­tal rights and free­doms. Simi­lar­ly, know­ledge or inten­ti­on to pro­cess by the con­trol­ler is not required.

No obvious public disclosure in the case of mere input

The second sub-ques­ti­on rela­tes to an excep­ti­on. Name­ly, if sen­si­ti­ve per­so­nal data are alre­a­dy known to the public, the­re is no lon­ger a need for spe­cial pro­tec­tion of the data sub­ject. Sin­ce this is an excep­ti­on to the strict pro­hi­bi­ti­on rules, the Advo­ca­te Gene­ral demands a par­ti­cu­lar­ly strict inter­pre­ta­ti­on. The user must have full awa­re­ness of the dis­clo­sure of the infor­ma­ti­on and take an expli­cit action, which comes very clo­se to consent.

A mere call was not suf­fi­ci­ent for this. A mere page query only dis­c­lo­ses the data to the ope­ra­tor, not to the public. An inten­ti­on to dis­c­lo­se the data to the gene­ral public could not be infer­red from this. In addi­ti­on, the Advo­ca­te Gene­ral refer­red to Artic­le 5(2) of the GDPR and the resul­ting bur­den of pro­of for the con­trol­ler with regard to the cir­cum­s­tances jus­ti­fy­ing the lawful­ness of the data pro­ces­sing. Final­ly, con­sent on the basis of the Coo­kie Direc­ti­ve was not suf­fi­ci­ent, as it pur­sued a spe­ci­fic pur­po­se and did not con­cern the pro­ces­sing of sen­si­ti­ve per­so­nal data. An equa­ti­on with the will to make public could not be infer­red from such consent.

On the third, fourth and fifth questions referred for a preliminary ruling

Some ques­ti­ons con­cern spe­ci­fic pro­ces­sing situa­tions by the Meta Group. The Advo­ca­te Gene­ral does not con­sider the requi­re­ments for a ques­ti­on to be refer­red to be ful­fil­led here, as they only rela­te to the appli­ca­ti­on and not the inter­pre­ta­ti­on and, in addi­ti­on, the doubts regar­ding the inter­pre­ta­ti­on for the spe­ci­fic case have not been pre­sen­ted by the refer­ring court. Nevert­hel­ess, the Advo­ca­te Gene­ral also pro­vi­des ans­wers here.

First of all, he also refers to Artic­le 5 (2) of the GDPR and the resul­ting bur­den of pro­of of the con­trol­ler. Accor­ding to Artic­le 13(1)© of the GDPR, the con­trol­ler must indi­ca­te the legi­ti­ma­te inte­rests pur­sued. This also includes indi­ca­ting which pro­ces­sing ope­ra­ti­on is based on which legi­ti­ma­te interest.

When it comes to the inter­pre­ta­ti­on of the cri­ter­ion of “neces­si­ty”, this is to be unders­tood as an objec­ti­ve neces­si­ty. It is not suf­fi­ci­ent that the data pro­ces­sing is only car­ri­ed out in the per­for­mance of the con­tract, is men­tio­ned in the con­tract or is only useful for the per­for­mance. Ins­tead, the­re had to be no rea­li­stic and less intru­si­ve solu­ti­ons. The pro­ces­sing must be an inte­gral part of the con­trac­tu­al ser­vice and must app­re­cia­te the reasonable view of the data sub­ject. If the­re are mul­ti­ple ser­vices, they must all be asses­sed in iso­la­ti­on as to their neces­si­ty. This means, for exam­p­le, for the plat­form-based con­nec­tion of seve­ral user groups, that an inde­pen­dent neces­si­ty test must be car­ri­ed out for each group.

Necessity for personalisation

Meta’s main argu­ment for mer­ging data has always been that it ser­ved a per­so­na­li­sed user expe­ri­ence. From a legal point of view, this argu­ment must now be recon­ci­led with the pre­re­qui­si­te of whe­ther this ser­vice can also jus­ti­fy neces­si­ty. The Advo­ca­te Gene­ral asks the rhe­to­ri­cal ques­ti­on of what degree of per­so­na­li­sa­ti­on the user can expect. For this argu­ment could not alo­ne be used to jus­ti­fy any impro­ve­ment. Any aggre­ga­ti­on with a somehow increased per­so­na­li­sa­ti­on would then be cover­ed. A plat­form could then use this argu­ment alo­ne to under­mi­ne any other legal basis, sim­ply becau­se it dedi­ca­tes its busi­ness model accordingly.

The Advo­ca­te Gene­ral also goes in the same direc­tion, con­side­ring con­sent to be neces­sa­ry for the com­bi­na­ti­on of data out­side the plat­form. In that case, howe­ver, it would also take pre­ce­dence and could not be under­mi­ned. In addi­ti­on, con­sent must be given sepa­ra­te­ly for dif­fe­rent pro­ces­sing ope­ra­ti­ons. In addi­ti­on, the Advo­ca­te Gene­ral sees the non-per­so­na­li­sed, chro­no­lo­gi­cal dis­play of the news feed as a suf­fi­ci­ent alter­na­ti­ve, so that per­so­na­li­sa­ti­on is not necessary.

Necessity for the continuous and seamless use of the group’s own services.

In prin­ci­ple, the Advo­ca­te Gene­ral also sees the con­nec­tion of ser­vices as useful or some­ti­mes even desi­ra­ble. Howe­ver, each ser­vice has its own con­tract for the pur­po­se of which the data pro­ces­sing is car­ri­ed out. An inde­pen­dent neces­si­ty could not be deri­ved from this and it was more appro­pria­te to lea­ve the choice to the user here. Sin­ce it is not suf­fi­ci­ent that a pro­ces­sing is mere­ly of use to the con­trol­ler, no neces­si­ty can be seen. Moreo­ver, pro­duct impro­ve­ment is in the inte­rest of the user rather than the con­trol­ler and the­r­e­fo­re does not con­sti­tu­te his legi­ti­ma­te interest.

In any case, the refer­ring court would have to exami­ne the indi­vi­du­al bases of lawfulness.

On the sixth question referred for a preliminary ruling

The last ques­ti­on dealt with con­cerns the effects of an inves­ti­ga­ti­on under car­tel law on the assess­ment of con­sent under data pro­tec­tion law. Such con­sent must be given vol­un­t­a­ri­ly. This is some­ti­mes rejec­ted across the board with refe­rence to the mar­ket power of a com­pa­ny. Accor­ding to reci­tal 42 of the GDPR, the cri­te­ria for invol­un­t­a­ry con­sent are that the data sub­ject has no real or free choice or can­not refu­se or with­draw con­sent. The con­trol­ler must pro­vi­de evi­dence of the lawful­ness of the consent.

Accor­ding to the Advo­ca­te Gene­ral’s assess­ment, mar­ket power alo­ne does not pre­clude the vali­di­ty of con­sent. Howe­ver, it may descri­be an une­qual power rela­ti­onship bet­ween the con­trol­ler and the data sub­ject. If this is obvious, the vol­un­t­a­ri­ne­ss of con­sent may be ques­tionable in the spe­ci­fic case. Howe­ver, the per­son respon­si­ble can also pro­ve that he or she obtai­ned con­sent on a vol­un­t­a­ry basis.

About the author

Porträtbild von Dr. Sebastian Louven

Dr. Sebastian Louven

I have been an independent lawyer since 2016 and advise mainly on antitrust law and telecommunications law. Since 2022 I am a specialist lawyer for international business law.

Other articles

Digital Markets Act – Private Enforcement

The Digi­tal Mar­kets Act con­ta­ins regu­la­ti­ons for a Euro­pean approach to mar­ket regu­la­ti­on of digi­tal plat­forms. First of all, this includes the iden­ti­fi­ca­ti­on as a rele­vant gatekeeper.…

Read more

Brogsitter Defence Returns

Brog­sit­ter Defence Returns­So­me time ago, the ECJ ruled in its Wikin­ger­hof decis­i­on on inter­na­tio­nal juris­dic­tion in anti­trust actions if the­re is also a con­trac­tu­al rela­ti­onship between…

Read more
Louven Rechtsanwälte PartGmbB

New partner: Dr Verena Louven

lou​ven​.legal has recent­ly beco­me a PartGmbB. Dr Vere­na Lou­ven joi­n­ed as a part­ner. She brings seve­ral years of legal expe­ri­ence in busi­ness and in par­ti­cu­lar com­ple­ments the…

Read more

Newsletter

Updates on antitrust and telecommunications law