Users of Facebook, owned by Meta Platforms Inc (formerly Facebook Inc), must accept Facebook’s terms of service, which refer to Meta’s data and cookies policies, before using the social network services. Under those terms, Meta collects data from other Meta services, such as Instagram and WhatsApp, as well as from third-party websites and apps via integrated interfaces or cookies placed on the user’s computer or mobile device. Meta then links that data to the user’s Facebook account and uses them for various purposes, including advertising.

The German Federal Competition Authority (GFCA) investigated Meta’s data processing, finding that it did not comply with the GDPR and was an abuse of Meta’s dominant position in the social network market in Germany. Accordingly, it injuncted Meta from further data processing and imposed measures to stop it from doing so.

Meta appealed the GFCA’s decision to the German court, which has asked the Court of Justice of the European Union whether national competition authorities are entitled to assess compliance with the GDPR. It also asked questions relating to: (i) the interpretation of the prohibition on processing sensitive personal data and the conditions applicable to consenting to its use; (ii) the lawfulness of the processing of personal data in the light of certain exemptions under the GDPR; and (iii) the validity of consent to the processing of personal data given to an undertaking in a dominant position.

The Advocate General (AG) opined that, while a competition authority does not have jurisdiction to rule on infringement of the GDPR, it can nevertheless consider the compatibility of a commercial practice with the GDPR. The AG said that compliance or non-compliance with the GDPR may be an important indication of whether there is a breach of competition rules.

However, the AG said that a competition authority can only assess compliance with the GDPR as a subsidiary issue, without prejudice to the powers of the relevant national data protection authority. The competition authority must take account of any decision or investigation by the national data protection authority, keep it informed of its own investigations and, where appropriate, consult the authority.

The AG also said that the mere fact that that a social network operator enjoys a dominant position on the national market does not call into question the validity of the user’s consent to the processing of his/her personal data. A dominant position does, however, play a role when assessing whether such consent can be considered to have been freely given, which is up to the data controller to demonstrate.

The AG also said that Meta’s practices might fall within GDPR exemptions for the processing of data without consent, if it can show that such practices are necessary for the provision of its Facebook services. However, the AG considered that, although the personalisation of content and advertising, the provision of seamless use of Meta’s other services, the security of the network or the improvement of the product might be in the interests of the user or the data controller, they did not appear to be necessary for the provision of Facebook services.

As for the prohibition on processing sensitive personal data, the AG said this would apply if the processed data, whether considered individually or as aggregated data, allows a user profile to be built and categorised based on the sensitive characteristics in the GDPR. The AG emphasised that for the exemption on use of data that the user has already manifestly made public to apply, the user must be fully aware that he/she is making personal data public through his/her own explicit actions. In the AG’s view, visiting websites and apps, entering data into those websites and apps and clicking on links to integrate them could not, in principle, be regarded in the same way as use that manifestly makes public the user’s sensitive personal data. (Case C-252/21 Meta Platforms Inc v Budeskartellamt (Opinion of Advocate General) EU:C:2022:704).