CJEU Rules on Data Protection, Social Media, and Competition Law
\nAdoption of EU-U.S. Data Privacy Framework
\nEDPB Plenary
\n– CJEU Rules on Data Protection, Social Media, and Competition Law –<\/p>\n
On 4th July, the CJEU ruled in the case of Meta Platforms and Others. As to the facts of the case, the German Federal Cartel Office prohibited Meta from combining the personal data it collects on different users across all its platforms, including Facebook, Instagram and WhatsApp, arguing that this constitutes an abuse of the company\u2019s dominant position on the market for users in Germany. Meta decided to challenge the decision in German courts. Against this background, seven questions were referred to the CJEU, which the Court bundled into four sets of considerations, which concerned:<\/p>\n
Whether a competition authority can find data processing practices in violation of the GDPR, even where there is an investigation of the same practices by a DPA.
\nWhether, if a user of a social media network visits, or enters information into, an app or website related to a sensitive category of data, the processing of data related to these by the social media network should be regarded as sensitive data. And whether, then the user uses functions on these apps which allow themselves to be identified, this data should be considered as having been manifestly made public according to 9(2)(e).
\nWhether Articles 6(1)(b) and (f) mean that processing of users\u2019 data by a social media network, involving the collection and use of data from other services withing the same corporate group, or from third-party websites or apps, and \u2018the linking of those data with the social network account of those users and the use of such data\u2019 can be considered as necessary for the performance of a contract, or as within the scope of legitimate interest. And whether Articles 6(1)(c), (d) and (e) could also relate such data protecessing, where this processing is carried out to \u2018respond to a legitimate request for certain data, to combat harmful behaviour and promote security, and to research for social good and promote safety, integrity and security\u2019.
\nWhether, according to Articles 6(1)(a) and 9(2)(a), consent given by a user of a social media network can fulfil the conditions of 4(11) \u2013 especially the condition \u2018freely given\u2019 \u2013 when the operator holds a dominant market position.<\/p>\n
In light of these considerations, the Court concluded:<\/p>\n
A competition authority investigating the abuse of a dominant position can find an organisation\u2019s practices in violation of the GDPR, where this \u2018finding is necessary to establish the existence of such an abuse\u2019. Where, however, there has already been a decision by a DPA on such practices, the competition authority cannot depart from the decision of the DPA. Where the competition authority has doubts regarding the decision, where the DPA is conducting a parallel investigation, or where there is no investigation in progress, the competition authority must consult with the DPA prior to beginning its own procedures.
\nWhen a user of a social media network visits apps or websites related to the categories of sensitive data, processing of personal data by the social media network related to this use constitutes processing of sensitive personal data when \u2018that data processing allows information falling within one\u2019 of the categories of sensitive data to be revealed.
\nWhere a user of a social media network visits an app or website related to the categories of sensitive data, the user does not make data related to these visits manifestly public. Where, however, the user makes an explicit choice to make data public \u2013 e.g. by clicking on a share button with certain settings \u2013 these data are considered to have been made manifestly public.
\nArticle 6(b) means that processing of personal data by a social media network, collected from other services in the same corporate network, or from third-party websites, can be regarded as necessary for the performance of a contract to which data subjects are party, provided \u2018processing is objectively indispensable for a purpose that is integral to the contractual obligation intended for those users\u2019.
\nArticle 6(1)(f) means the processing discussed in pt. 4 can fall within the scope of legitimate interests provided \u2018the operator has informed the users from whom the data have been collected of a legitimate interest that is pursued\u2026that such processing is carried out only in so far as is strictly necessary\u2026and that it is apparent from a balancing of the opposing interests\u2026that the interests or fundamental freedoms and rights of\u2026users do not override that legitimate interest\u2019.
\nArticle 6(1)(c) means that the processing discussed in pt. 4 can fall within the scope of the provision provided \u2018it is actually necessary for compliance with a legal obligation to which the controller is subject\u2026where that legal basis meets an objective of public interest and is proportionate to the legitimate aim pursued and where that processing is carried out only in so far as is strictly necessary\u2019.
\nArticles 6(d) and (e) mean that the processing discussed in pt. 4 \u2018cannot, in principle and subject to verification by the referring court, be regarded as necessary in order to protect the vital interests of the data subject or of another natural person, within the meaning of point (d), or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, within the meaning of point (e)\u2019.
\nArticles 6(1)(a) and 9(2)(a) mean that, when a social media network operator holds a dominant position, this \u2018does not, as such, preclude the users of such a network from being able validly to consent, within the meaning of Article 4(11)\u2026to the processing of their personal data by that operator\u2019. Dominance, however, is \u2018an important factor in determining whether the consent was in fact validly and, in particular, freely given, which it is for that operator to prove\u2019.<\/p>\n
This is a complex and fascinating case, dealing with a large range of provisions and issues. It is also a case which looks likely to have significant implications for EU data protection law \u2013 for example concerning the concept of \u2018freely given\u2019 consent. We strongly advise all those interested in data protection law to read the judgment.<\/p>\n","protected":false},"excerpt":{"rendered":"
CJEU Rules on Data Protection, Social Media, and Competition Law Adoption of EU-U.S. Data Privacy […]<\/p>\n","protected":false},"author":144,"featured_media":65544,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[3551],"class_list":["post-66426","dpi","type-dpi","status-publish","has-post-thumbnail","hentry","dpi-tag-data-protection"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/66426","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=66426"}],"version-history":[{"count":1,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/66426\/revisions"}],"predecessor-version":[{"id":72080,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/66426\/revisions\/72080"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media\/65544"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=66426"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=66426"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=66426"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}