The Bottom Line
- Forcing users to accept personalized advertising as part of a platform’s terms and conditions, a model often called “consent-by-contract,” is not a valid legal basis for data processing under the GDPR. Businesses must seek a separate, freely given consent.
- National competition authorities can now investigate and sanction GDPR violations when determining if a dominant company is abusing its market position, creating a significant new avenue for regulatory risk.
- Processing sensitive personal data (e.g., on political views, religion, or sexual orientation) for ad targeting requires explicit user consent. This consent cannot be inferred simply from a user’s activity, such as liking a page or watching a video.
The Details
The Court of Justice of the European Union (CJEU) has delivered a landmark ruling that fundamentally challenges the data processing models of major online platforms. The case originated from a decision by Germany’s competition authority, the Bundeskartellamt, which found that Meta (formerly Facebook) was abusing its dominant market position by collecting user data without valid consent under the GDPR. The CJEU was asked to clarify whether a competition authority could make such a finding and whether Meta’s legal justifications for its data processing were sound. The Court sided decisively with the German regulator, establishing a critical link between data protection and competition law.
In its reasoning, the Court dismantled the argument that personalized advertising is necessary for the “performance of a contract” with the user. It clarified that while users agree to a contract to use a social network, personalized advertising is a distinct and non-essential service. Therefore, requiring users to agree to extensive data processing for ads to access the core platform is not a valid justification under GDPR. The Court also cast doubt on “legitimate interest” as a viable alternative, suggesting that the interests and fundamental rights of users would likely override the commercial interests of the platform in this context.
Crucially, the judgment empowers national competition authorities to enforce data protection principles. The CJEU confirmed that when assessing an abuse of a dominant position, a regulator can and should consider whether a company’s conduct complies with rules outside of competition law, such as the GDPR. This fusion of legal domains means that dominant tech companies now face a two-front battle: their data practices can be scrutinized not only by data protection authorities for GDPR compliance but also by competition watchdogs as evidence of anti-competitive behaviour. This precedent significantly raises the stakes for data governance and compliance for market leaders across the EU.
Source
Court of Justice of the European Union
