The CJEU’s Decision in Meta’s Competition Case Part 2: Sensitive Data and Privacy Enforcement by Competition Authorities

Yesterday, I delved into the recent judgment in the Meta case (Case C-252/21) from the Court of Justice of the European Union (CJEU). I gave a preliminary analysis of the Court’s view on some of the complexities surrounding the processing of personal data for personalized advertising under the GDPR, focusing on three lawful bases for data processing - contractual necessity, legitimate interest, and consent. I emphasized the importance of a nuanced understanding of the CJEU decision. I pointed out that it does not definitively determine whether Meta can rely on legitimate interest or fall back on user consent for personalized advertising.

In this second part, I continue my exploration, addressing the Court’s discussion of processing special category (sensitive) personal data. Moreover, I’ll delve into the implications of this judgment for enforcing GDPR by competition authorities, shedding light on the future of the one-stop-shop principle. 

Following the CJEU decision, the special category data issue remains difficult for digital services. Still, we don’t have too much new guidance from the CJEU. And regarding the enforcement question, the use of ‘indirect’ enforcement by competition authorities could significantly affect data privacy regulations’ trajectory in the European Union.

Undermining the one-stop-shop GDPR enforcement?

Even with a single set of general rules in the GDPR, navigating the maze of different data protection enforcement approaches across European countries could be challenging. The European Union recognized this and introduced the one-stop-shop principle under the GDPR in a positive move towards harmonization. The core idea is that you don’t have to deal with various national data protection authorities (DPAs) if you’re a business operating in multiple EU member states. Instead, you have one lead supervisory authority (LSA), typically located in the member state where your company has its main establishment or where your central administration in the EU is situated.

This case arose from an investigation by the German competition authority (the FCO), in which the FCO decided that Meta abused its dominant position (in the meaning of competition law) by engaging in conduct that violated the GDPR. The German court, which heard the resulting case between Meta and the FCO, was unsure whether this was something a competition authority could do, so it asked the CJEU. 

The CJEU concluded that a national competition authority could do that with several limitations. First, it cannot depart from a decision of a privacy authority. Second, in case of doubt, it must “consult and seek the cooperation” of privacy authorities. But if once consulted, the relevant privacy authorities do not object or don’t reply “within a reasonable time,” then the national competition authority can proceed.

In this case, the Irish Data Protection Commission (DPC) was consulted, and they informed the German FCO that they did not investigate the issues in question and didn’t object to the FCO’s actions. 

It may seem too strong to say that the CJEU’s approach undermines the one-stop-shop principle because it effectively gives the competent privacy authority veto power. However, from the perspective of a business operating across the EU, this situation may significantly undermine the benefits of harmonizing GDPR enforcement. 

There may be operational reasons (e.g., staffing) why a competent privacy authority may not be able to effectively scrutinize the activities of various national competition authorities. Especially if - following the CJEU judgment - those authorities become very enthusiastic about relying on perceived breaches of the GDPR. 

The situation is further complicated by the potential need for a data privacy authority (DPA) to determine whether to contest a competition authority’s findings on the application of the GDPR, especially if an investigation is not already underway. The DPA may need to initiate an investigation to make this determination. However, conducting such an investigation within a timeframe the competition authority deems “reasonable” may present significant practical challenges.

Alternatively, the DPA might have to form a stance without the benefit of a comprehensive investigation. This approach could lead to several undesirable outcomes, such as erroneous decisions. Furthermore, it could deny the business under scrutiny the opportunity to present its perspective on the GDPR issues before the authority that holds the relevant jurisdiction. 

Competition authorities could strategize their approach in a manner that may disadvantage privacy authorities. They may undertake lengthy and thorough investigations independently before consulting the relevant privacy authorities towards the end of their process. This could create an expectation for privacy authorities to agree with their findings on applying the GDPR within a comparatively shorter, “reasonable” time frame. This significantly reduced review and agreement time could undermine the regulatory process’s balance and thoroughness.

Special categories of data (sensitive data)

The GDPR allows processing “special categories” of personal data in more limited circumstances than the standard lawful bases (legitimate interest, contractual necessity, and so on). This specially protected category includes: “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation” (Article 9(1) GDPR).

In business contexts, two situations justifying the processing of special category data are likely to be relevant: (1) consent of the data subject and (2) “data which are manifestly made public by the data subject.” 

In this case, the issue was twofold. Firstly when might collecting and using off-platform (third-party) data by Facebook involve the “processing of special categories of personal data.” Secondly, under what circumstances could users be considered to have made their data manifestly public?

Regarding the first issue, the Court didn’t provide much guidance. It asserted that it is possible for data about users merely visiting some websites (without even interacting with those websites beyond opening them) to reveal special category data. But the CJEU left it to the national court to determine whether that is the case in any specific situation. 

In doing so, the Court didn’t expressly follow the approach of AG Rantos, who suggested in his opinion in this case that “it might be worth distinguishing, where appropriate, between the processing of data which prima facie may be categorized as sensitive personal data, which alone allow profiling of the data subject, and the processing of data that are not inherently sensitive but require subsequent aggregation to draw plausible conclusions for profiling purposes.” The Court’s judgment doesn’t seem to contradict AG Rantos’ “existence of categorization” analysis, but it also doesn’t endorse it. 

Regarding the second issue, the Court adopted a narrow interpretation of what it means for data to be made manifestly public. A decision merely to visit a website does not count. Nor does any specific interaction with the website (e.g., using “Like” or “Share”) functionality, unless a user decides ex-ante in their settings to make such information “accessible to the general public” or explicitly consent to that while interacting with the website. 

Conclusions

In conclusion, the CJEU’s decision in Meta’s competition case has several implications for enforcing the GDPR. Firstly, the decision raises concerns about undermining the one-stop-shop principle under the GDPR. While the CJEU’s approach gives veto power to competent privacy authorities, it may complicate the harmonization of GDPR enforcement for businesses operating across multiple EU member states. The need for privacy authorities to scrutinize the activities of various national competition authorities could pose operational challenges and hinder the benefits of harmonization.

Secondly, the judgment sheds some light on processing special category (sensitive) personal data. However, the CJEU’s guidance on this matter remains limited, as it leaves it to national courts to determine whether particular data collection practices involve processing special category data. The CJEU adopts a narrow interpretation of what constitutes data being made manifestly public, emphasizing that mere website visits or interactions without explicit consent or accessibility to the general public do not qualify.