A non-binding opinion issued today by an influential advisor to the Europe Union’s top court could foreshadow a major regional development at the intersection of privacy and competition regulation — or ‘privacy vs competition’ as it’s sometimes narrowly framed.
The opinion follows a referral to the Court of Justice (CJEU) related to an appeal by Facebook (aka Meta) which has been challenging a 2019 order by Germany’s competition watchdog (the FCO) against Facebook’s so-called ‘superprofiling’ of users. The FCO’s case argues that the tech giant’s combining of data on users across multiple services and websites — ergo, Facebook’s total denial of users’ privacy — is itself an “exploitative abuse” linked to its market power and therefore also an abuse of competition laws that the FCO is competent to regulate.
Facebook has been appealing against the FCO’s order by arguing that antirust enforcers should essentially stay in their lane — since they are not the designated oversight bodies for the EU’s General Data Protection Regulation (GDPR).
But today’s opinion pushes against such siloing. And if the Court follows its advisor’s view it could provide a major boost to privacy rights across the EU as antitrust authorities would get a green light to consider data protection compatibility as part of their assessment of competition rules. (Though it’s worth emphasizing that all we have today is an opinion, not binding law; the CJEU itself has still to rule on the questions referred to it.)
This is important because the historically siloed approach of regulatory enforcement touching the digital sphere has failed to keep pace with data-mining platform giants, enabling certain firms to amass massive market power through systematic abuse of privacy — despite the EU having long-standing privacy rules (on paper).
A key piece of the blame is therefore really a failure of stand-alone enforcement of data protection law by European regulators — so if the bloc’s competition authorities can also factor in privacy-related data abuses when they assess competition concerns it widens the oversight net.
From the press release on the AG opinion issued by the Luxemboug court:
“In his Opinion delivered today, advocate general Athanasios Rantos, first, takes the view that, while a competition authority does not have jurisdiction to rule on an infringement of the GDPR, it may nevertheless, in the exercise of its own powers, take account of the compatibility of a commercial practice with the GDPR. In that respect, the advocate general emphasises that the compliance or non-compliance of that conduct with the provisions of the GDPR may, in the light of all the circumstances of the case, be an important indication of whether that conduct amounts to a breach of competition rules.”
AG Rantos’ opinion goes on to observe that any assessment made by a competition authority in relation to GDPR compliance would be “without prejudice” to the powers of the competent supervisory authority under the regulation, adding: “Therefore, the competition authority must take account of any decision or investigation by the competent supervisory authority, inform the latter of any relevant details and, where appropriate, consult it.”
So the direction of travel being advocated for by the CJEU’s advisor is towards more joint-working between competition and privacy regulators.
Back in 2019, the FCO ordered Facebook to stop combining user data — threatening, at a stroke, a hard stop on its surveillance-based business model (at least in Germany). Yet the legality of Meta’s data processing was also being challenged under EU privacy law — however procedural bottlenecks have spun complaints out over years and delayed GDPR enforcement against the most powerful tech platforms (where the need for action is the most acute). So if antitrust authorities across the EU are empowered to also factor in privacy abuses and work more closely with data protection regulators it could put much needed momentum behind enforcement that helps unplug some of the bottlenecks.
The AG’s opinion may also send a signal to the EU’s antitrust authority to rework its approach. The bloc’s competition unit has, historically, been wary of combining privacy and competition — hence, in recent years, its willingness to override major privacy objections raised against the Google-Fitbit merger and allow the deal to go ahead with just a few concessions.
While the FCO’s case against Facebook is rightly seen as pioneering, in the years since the German regulator started digging into Facebook’s exploitation of users’ privacy, other regional oversight bodies have been waking up to the need to evolve their approach — and joint working between privacy and competition authorities is already on the rise — with, for example, the UK’s ICO and CMA working together on a competition case related to Google’s ‘Privacy Sandbox’ proposal to evolve its adtech; and French competition and privacy authorities consulting on complaints against Apple’s App Transparency Tracking feature (which the French antitrust watchdog declined to block), to name two recent examples of consultation and co-working.
Zooming out again quickly, the EU has also approved a major ex ante update to competition rules — called the Digital Markets Act (DMA) — which sets binding operational requirements on the most powerful platforms that include some provisions limiting how data can be used.
Application of the DMA is due to start next year — so a new competition regime for the most powerful companies is absolutely incoming in Europe. (Germany already passed a domestic reboot of its digital competition rules — handing special abuse powers to the FCO which, earlier this year, designated Facebook as one of a number of tech giants falling under the regime; with the classification standing for five years.)
Consent and sensitive data
The AG’s opinion deals with a number of other legal questions that have been referred to the court via Facebook’s appeal to the FCO’s original anti-superprofiling order — with the advisor taking the view that market dominance, per se, does not itself call into question the validity of a consent-based legal basis for a social media service to process user data.
However the advisor suggests market muscle should be factored into the assessment of the freedom of the consent — which he says it is up to the data controller to demonstrate. (NB: The GDPR’s standard for consent as a legal basis for processing personal data is that it must be specific, informed and freely given.)
The AG also does not preclude the possibility that Facebook may be able to process some personal data by relying on alternative legal basis to consent — but only if the processing relates to operational elements that are actually necessary for the provision of the services related to providing the Facebook account. And there he appears to cast doubt that ‘personalized ads’ would fit the definition of “necessary”.
“[T]he advocate general considers that, although the personalisation of content and advertising, the continuous and seamless use of the Meta Platforms group’s services, the security of the network or the improvement of the product may be in the interests of the user or the data controller, those components of the practice at issue do not appear to be necessary for the provision of the abovementioned services,” the Court writes in the press release.
The AG also weighs in on a question related to the processing of sensitive personal data (defined under GDPR as data on racial or ethnic origin, political affiliation, health data, sexual orientation etc) — and on profiling based on sensitive characteristics — pointing out that a prohibition in the regulation on such processing may apply in this context; and, furthermore, that for an exemption in the GDPR to apply (for data which the data subject has “manifestly made public”) the user must be “fully aware that, by an explicit act, he is making personal data public”.
“According to the advocate general, conduct consisting in visiting websites and apps, entering data into those websites and apps and clicking on buttons integrated into them cannot, in principle, be regarded in the same way as conduct that manifestly makes public the user’s sensitive personal data,” the press release goes on, suggesting that the act of background surveillance imposed by Facebook on users via tracking infrastructure embedded into its own services and into third party websites would not constitute a viable get out to avoid the ban on processing sensitive data. Which would mean Facebook would need to either not process users sensitive data at all (good luck!) — or explicitly ask people’s permission to do so. (And you can’t imagine many people willingly agreeing to let Facebook track such stuff.)
Of course it remains to be seen whether the Court will agree with its advisor on all these points.
The CJEU does often, though not always, follow its AGs’ reasoning — so the opinion itself is certainly noteworthy. Typically, it takes between three and six months after an AG opinion for the CJEU to issue a ruling which means the earliest this could be issued is at the end of this year.
Once the CJEU issues its ruling it will be passed back to the referring court — in this case the German court hearing Facebook’s appeal against the FCO order — meaning that a final verdict on that case should be coming some time next year.