The CJEU’s Decision in Meta’s Competition Case: Consequences for Personalized Advertising Under the GDPR (Part 1)
Today’s judgment from the Court of Justice of the European Union (CJEU) in Meta’s case (Case C-252/21) offers new insights into the complexities surrounding personalized advertising under the EU General Data Protection Regulation (GDPR). Notably, this decision stems from an attempt to rely on the GDPR by the German competition authority (FCO), and the main question the Court answered concerned the legality of that attempt (the Court gave the green light). However, the Court’s decision also explored other issues, including lawful bases of data processing under the GDPR, notably for personalized advertising.
Given the legal nuances in the Court’s decision, it is perhaps unsurprising that some early reports are somewhat confused. For example, it is suggested that the Court proclaimed that Facebook must now ask users for consent to process their data for personalized advertising. In this short text, I attempt to dispel misconceptions and highlight key takeaways from this important decision. Note that this analysis is a preliminary, first-impression look at the case.
I divided my discussion into two parts. Here, I cover the lawful basis for the processing of personal data for personalized advertising (contractual necessity, legitimate interest, and consent). In the second part, I will examine the issue of special category (sensitive) data and what “indirect” enforcement of the GDPR by competition authorities means for the one-stop-shop principle.
To process personal data lawfully under the GDPR, businesses must rely on one of the “lawful bases” of data processing listed in Article 6 GDPR. This list includes, among other things, “consent,” “contractual necessity,” and “legitimate interests” bases. In January, the Irish Data Protection Commissioner (DPC) issued a decision, largely forced by the European Data Protection Board (EDPB), in which she found that Meta cannot rely on the contractual necessity for personalized advertising on Facebook and Instagram. Meta disagrees with that GDPR interpretation, and I think their critique has merit. For more detail, see my blog post and my podcast with Eric Seufert.
Meta’s response to the Irish DPC’s decision was to switch from contractual necessity to legitimate interests as a basis for personal data processing for personalized advertising. Eric Seufert and I covered it in another podcast. The critics decried Meta’s decision as a move to an “equally illegal basis.”
Among the crucial questions remains whether Meta can rely on legitimate interest for personalized advertising. And if they can’t, can they fall back on express user consent? Those who generally oppose personalized advertising likely hope the answer to both questions is: “no.” However, despite some hasty public comments, today’s judgment does not resolve those questions either way.
First-party vs. third-party data
The case focused on “third-party data”: collected off-platform by other websites or Meta services than Facebook. The lawful basis for processing such data is an important question. Still, it is not nearly as important as processing “first-party data:” data processed by Facebook and collected directly by Facebook. This doesn’t mean the judgment is irrelevant to questions about first-party data processing. It does, however, mean that we have to be very careful when reading the decision to assess to what extent the Court decided to go beyond the scope of the case before them.
While addressing the key “questions 3 to 5” (questions asked by a German court), the Court prefaced the discussion by rephrasing the asking court’s question in the following way:
… the processing of personal data by the operator of an online social network, which entails the collection of data of the users of such a network from other services of the group to which that operator belongs or from visits by those users to third-party websites or apps …
This defines the scope of the “data at issue” or the “processing in question” that is the main subject of the Court’s later discussion.
Addressing contractual necessity, the Court argued that for the processing of personal data to be lawful under this basis, it must be objectively indispensable to the contract’s primary objective. The processing cannot be merely useful.
The judges questioned whether personalization was necessary for a social network service but did not definitively rule on this matter. The Court left this issue to be resolved by the national court. Interestingly, the Court did not directly reference personalized advertising. Instead, it explicitly discussed personalization of content. However, the Court also noted more generally that “it does not appear, subject to verification by the referring court, that the processing at issue in the main proceedings is strictly necessary for the performance of the contract” (para 149). And “the processing at issue in the main proceedings” does include personalized advertising (para 27).
Should we view the Court’s comments as extending to first-party data? The text of the decision neither expressly limits the remarks to third-party data, nor does it explicitly refer to first-party data. Given the scope of the question that the Court itself said it is answering (limited to third-party data), it could arguably be an out-of-context reading of, for example, para 102, to extend it to first-party data. Notably, the conclusion of that discussion in para 104 also makes it clear that it applies to third-party data.
Setting that aside, even if only applicable to third-party data, the Court’s approach is open to criticism of the kind that Kristian Stout and I leveled against the EDPB’s approach:
This stilted view of what counts as a “service” completely fails to acknowledge that “necessary” must mean more than merely technologically possible. Any service offering faces both technical limitations as well as economic limitations. What is technically possible to offer can also be so uneconomic in some forms as to be practically impossible. Surely, there are alternatives to personalized advertising as a means to monetize social media, but determining what those are requires a great deal of careful analysis and experimentation. Moreover, the EDPB’s suggested “contextual advertising” alternative is not obviously superior to the status quo, nor has it been demonstrated to be economically viable at scale.
Thus, even though it does not strictly follow from the guidelines, the decision in the Meta case suggests that, in practice, the EDPB pays little attention to the economic reality of a contractual relationship between service providers and their users, instead trying to carve out an artificial, formalistic approach. It is doubtful whether the EDPB engaged in the kind of robust economic analysis of Facebook and Instagram that would allow it to reach a conclusion as to whether those services are economically viable without the use of personalized advertising.
On the topic of legitimate interests, the Court made two significant assumptions.
Firstly, it asserted that Facebook users could not reasonably expect their data, collected by other services (third-party data), to be processed by Facebook for personalized advertising. The Court gave no justification for this assertion. It just stated that even if a service is offered free of charge, users cannot reasonably expect the service provider to process user data collected by third parties for personalized advertising.
Notably, the Court did not state that explicitly about first-party data (this is highlighted in para 151). Perhaps the Court intentionally left open the road to use legitimate interests basis for processing first-party data for personalized advertising. Naturally, it could also be that the Court simply decided to stay within the scope of the questions asked and that we should not draw any broader conclusions.
Secondly, the Court emphasized that this kind of data processing significantly affects the user due to its comprehensive nature and the unlimited scope of data it could potentially encompass. This, the Court argued, could create the impression of continuous monitoring of the user’s private life.
This line of argumentation may be aimed at distinguishing large social networks from other online service providers who rely on legitimate interests, also for personalized advertising. Large social networks may be held to a stricter standard, given their vast data collection.
If these comments on legitimate interests are interpreted as encompassing all data, not just third-party data, it could complicate matters for social networks relying on this basis. However, as I noted, the better reading seems to be that the Court limited its answer to the scope of the question asked by the German court, i.e., to third-party data.
In the event of further restrictions on using contractual necessity and legitimate interest bases for personalized advertising, businesses might look to consent as a solution. However, the Court had some reservations here, too, particularly for large digital services.
Drawing on antitrust/competition law and the concept of a “dominant position,” the Court asserted that a service’s market dominance is relevant in determining whether user consent is “freely given.” If consent is not “freely given,” then it is invalid. The invalidity of consent and restrictive interpretations of contractual necessity and legitimate interest could significantly limit the kind of personal data processing that large service providers can do. Some will likely argue that the result should be a de facto prohibition of personalized advertising by large digital service providers. However, we are not there yet.
The Court affirmed that merely having a dominant position does not mean that users’ consent is invalid. However, it has given national authorities, especially competition authorities, another tool to push in that direction.
Importantly, the Court raised the possibility of paid or subscription alternatives to free services dependent on consent. Such alternatives must provide not only access to the service but an “equivalent” level of service: “users are to be offered, if necessary for an appropriate fee, an equivalent alternative not accompanied by such data processing operations” (para 150).
It is unclear what equivalence is supposed to mean in practice. Perhaps businesses would be required to offer the same service, without personalized advertising, but also without additional features. Or, at least, to offer one among several tiers of paid subscriptions, which come neither with personalized advertising nor additional features. The questions raised here are analogous, if not identical, to some of the issues raised by the Digital Markets Act (DMA)—especially its recitals 36-37.
One welcome feature of the Court’s approach is that it rejects the idea that consent is not “freely given” whenever the alternative to consent is not free of charge (i.e. when the alternative to consent is to pay).
The Court’s own discussion seems to include an interesting contradiction. On the one hand, the Court rejects that using third-party personal data for personalized advertising is necessary for the performance of a contract between the user and Meta/Facebook. But on the other hand, the Court suggests offering a version of the service without data processing for personalized advertising, among other things, “if necessary for an appropriate fee.” What is the “appropriate fee” meant to be “necessary” for? Necessary for the service provider to be able to fund providing the service? How is that not a “contractual necessity”? This shows rather well the stilted formalism of the narrow interpretation of “contractual necessity.”
Meta already relies on user consent to use off-platform/ third-party data. (Though there may be a question as to whether data that comes from Meta’s services other than Facebook/Instagram counts as “third-party.") Moreover, the German competition authority announced that it was happy with Meta’s recent changes to the “account center.” However, the German authority noted that they may revisit the issue under a different legal basis (Section 19a of the German Competition Act, which I recently discussed here).
To be continued in part 2, covering special category (sensitive) data and what “indirect” enforcement of the GDPR by competition authorities means for the one-stop-shop principle.