CJEU scrutinises Facebook’s use of personal data for behavioural advertising

Background

Meta owns Facebook. The social media network is free to private users and makes its money through online advertising tailored to those users. On registering with the service, users must accept Meta’s general terms and conditions, which refer to its data and cookie policies under which Meta collects data about user activities on and off its networks and links those data with Facebook accounts of users. The off-Facebook data relate to visits to third-party webpages and apps, as well as the use of other online services belonging to the Meta group, including Instagram and WhatsApp. Data collected in that way allow detailed conclusions to be drawn about users’ preferences and interests.

In 2019 the Federal Cartel Office in Germany prohibited Meta from making, in its general terms, the use of Facebook by private users resident in Germany subject to the processing of their off-Facebook data. It also prohibited processing those data under the legal basis of consent, finding that Meta could not be said to have obtained valid consent if it was a condition for using Facebook. The FCA based its decision on the fact that the processing of the data, which it found to be inconsistent with the GDPR, constituted an abuse of Meta’s dominant position on the market for online social networks.

Meta challenged the decision before the Higher Regional Court in Dusseldorf, which decided to refer the case to the CJEU for guidance on whether national competition authorities were entitled to review whether the processing of personal data is GDPR-compliant. It also sought guidance on the application of the GDPR to the circumstances of the case.

Decision

Interaction between competition authorities and DPAs

The CJEU held that, subject to compliance with its duty of sincere co-operation with DPAs under Article 4(3) of the Treaty on European Union, a competition authority can find, in the context of an examination of an abuse of a dominant position by an undertaking under Article 102 of the Treaty on the Functioning of the European Union, that that undertaking’s general terms of use relating to the processing of personal data and their implementation are not consistent with the GDPR, where that finding is necessary to establish the existence of such an abuse.

Where a competition authority identifies a GDPR infringement, however, it does not step into the shoes of the DPA. The CJEU clarified that the DPA and the national competition authority each “perform different functions and pursue their own objectives and tasks”. For example, the DPA would be the entity with the power to levy fines under Articles 52 and 83 of the GDPR.

Accordingly, competition authorities must consult and co-operate sincerely with national DPAs (or a lead supervisory authority, as the case may be). Where a competition authority takes the view that it is necessary to examine whether an undertaking’s conduct is GDPR-compliant, that authority must ascertain whether that conduct or similar conduct has been the subject of a decision by a competent DPA or the CJEU. The competition authority’s decision on the GDPR aspects of the case must be consistent with any such decision. Where it has doubts as to the scope of a DPA’s decision or assessment, or in the absence of a DPA investigation, and where it considers that an undertaking’s conduct is not GDPR-compliant, the competition authority must consult the relevant DPAs and seek their co-operation. In the absence of any objection from them, the competition authority may continue its own investigation.

Special category personal data

The CJEU then turned to the processing of special category personal data. It held that, where the user of an online social network visits websites or apps to which one or more of those categories relate and enters information into them when registering or when placing online orders, the processing of personal data by the network operator (by means of integrated interfaces, cookies or similar storage technologies) must be regarded as processing of special categories of personal data within the meaning of Article 9(1) of the GDPR, where it allows information falling with one of those special categories to be revealed. That was the case irrespective of whether the information concerned the user of the network or any other natural person. As such, the processing of such data is in principle prohibited, subject to certain derogations.

The most relevant derogation for such purposes is whether the special category personal data have been manifestly made public by the data subject (GDPR, Article 9(2)(e)). The CJEU distinguished two types of processing in such respect:

• When a user visits a website or app that relates to special category personal data (e.g., websites that might reveal data concerning a person’s sexual orientation or their religious beliefs or political opinions) and enables the user to be identified via cookies or similar technologies, the user cannot be said to have manifestly made public the data entered or resulting from those activities.
• When a user “likes” or “shares” content on a website or app, enabling their identification via their Facebook log-in credentials or other means, the extent to which that interaction is public may vary, in that it may be determined by the individual settings chosen by that user. As such, such information would only be considered to have been manifestly made public where individual settings have been selected with full knowledge of the facts, to make the personal data concerned publicly accessible to an unlimited number of persons.

Necessity for performance of a contract

The CJEU went on to stress that processing could be regarded as “necessary for the performance of a contract” under Article 6(1)(b) of the GDPR only where such processing is “objectively indispensable” for a purpose that is “integral to the contractual obligation” intended for those users, such that the main subject matter of the contract could not be achieved without that processing. In this context, use of personal data for behavioural advertising and the sharing of personal data between Meta’s services did not appear to be necessary in order to offer Facebook’s services to that user.

Legitimate interest

The CJEU also clarified that the processing could not be justified on grounds of legitimate interest under Article 6(1)(f) of the GDPR unless the operator had informed the user of the legitimate interest pursued by the data processor and such processing was carried out only as far as strictly necessary for that purpose and, on balance, the rights of users could not override that legitimate interest. In that respect, the court considered that, for behavioural advertising in the absence of consent, the interests and fundamental rights of users would override the interests of the network operator in financing its activities through personalised advertising. The CJEU highlighted that Meta’s processing related to a large part, if not all, of a user’s online activities, which might give rise to a feeling that the user’s private life is being “continuously monitored”.

Consent

As to consent, the CJEU accepted that the fact that the social network operator holds a dominant position on the market for online social networks did not, as such, preclude the users from being able to consent to the processing of personal data. Yet the court also pointed out that, since that dominant position is liable to affect the freedom of choice of users and to create a clear imbalance between them and the controller, it is an important factor in determining whether consent was in fact validly and freely given. The court stressed that, in order to obtain lawful consent, Facebook users must be:

• free to refuse individually, in the context of the contractual process, to give their consent to particular data processing operations, without being obliged to refrain from using the service entirely;
• offered an equivalent alternative unaccompanied by such data processing operations (for an appropriate fee, if necessary); and
• offered separate consent notices for the processing of on-Facebook data (such as their actions on the social network) and off-Facebook data (such as online activity tracked via cookies).

Comment

There are familiar GDPR themes here. Contractual necessity was at the heart of the Irish Data Protection Commission’s investigation into Meta, which resulted in a €390 million fine for GDPR breaches relating to the delivery of Facebook and Instagram services. There, the Irish DPC was initially supportive of Meta’s position, in that Meta’s Facebook services appeared to be premised on the provision of a personalised service that included behavioural advertising and such advertising formed part of the contract concluded at the point at which users accepted the terms of service. The European Data Protection Board took a different view, finding that Meta could not rely on contractual necessity as a lawful basis for processing personal data for the purposes of behavioural advertising, on the basis that “the main purpose for which a user uses the Facebook service is to communicate with others”, not receiving personalised advertising, and that “as a general rule, the processing of personal data for behavioural advertising is not necessary to perform a contract”, in part because less intrusive alternatives exist. In January 2023 the EDPB issued two binding decisions, and the DPC was compelled to issue the fine and decision against Meta on the basis of those decisions.

The CJEU is, not surprisingly, more in line with the EDPB binding decision than the DPC’s original decision in that case. As to legitimate interest, it is generally accepted that in some circumstances that may justify processing of personal data for direct marketing. Indeed, that position is reflected in Recital 47 of the GDPR. The CJEU has nevertheless reinforced the view that legitimate interest does not typically extend to behavioural advertising. That is no doubt a blow to Meta. In press announcements following the DPC and EDPB’s decisions in January 2023, Meta indicated that it still believed that lawful bases (other than contractual necessity) were open to it, and Meta has since taken steps to improve transparency^[2] and to move toward a combination of consent and legitimate interest^[3] as its legal bases for processing personal data for behavioural advertising, including announcing an increased focus on consent in August 2023, following the CJEU’s decision.

It is now arguable that consent is the only relevant remaining lawful basis that Meta might readily establish to permit its processing of personal data for behavioural advertising on Facebook. As the CJEU makes very clear, the problem with consent is that it needs to be informed, freely given, express and revocable. A DPA might take some persuading that such criteria have been satisfied, especially where there is a clear imbalance between user and controller such as might exist where a particular service dominates the market. The CJEU suggested that freedom of choice for the user might be introduced by offering an equivalent alternative (for an appropriate fee), and providing more granular consent options (i.e., distinguishing between on-Facebook and off-Facebook data), but it is not at all clear what might be appropriate in practice.

It will be interesting to see whether a DPA raises these issues in turn, with the potential to levy further large fines under GDPR, beyond the huge fines already imposed on Meta.

Article written for Entertainment Law Review.