THE BOTTOM LINE
- New Enforcement Risk: Dominant companies now face a dual threat. National competition authorities can investigate and penalize businesses for GDPR violations as part of an antitrust case, significantly expanding the regulatory battlefield.
- Data Justification Under Fire: Relying on “performance of a contract” to justify extensive data collection is now riskier. The Court has signaled that only data strictly necessary for the core service is covered, questioning the legality of processing off-platform user data for personalization.
- Consent Must Be Explicit: For processing sensitive personal data (even data that is just inferred, like political leanings or sexual orientation), companies must obtain clear, separate, and explicit consent. Burying it in general terms and conditions is not compliant.
THE DETAILS
In a landmark ruling, the Court of Justice of the European Union (CJEU) has fundamentally altered the compliance landscape for data-driven businesses. The case originated from a decision by Germany’s competition authority, the Bundeskartellamt, which found that Meta (formerly Facebook) was abusing its dominant market position by collecting and processing user data without effective consent, thereby violating the General Data Protection Regulation (GDPR). The central question for the Court was whether an antitrust regulator had the authority to rule on data protection matters. The CJEU’s answer was a resounding “yes,” provided the regulator cooperates with the relevant data protection authorities. This decision empowers competition watchdogs across the EU to assess GDPR compliance when determining if a company’s business practices are exploitative or unfair.
The Court’s reasoning delved deep into the legal bases for data processing under the GDPR. It cast serious doubt on whether a social network’s collection of user data from third-party websites and services (e.g., through “Like” buttons or tracking pixels) could be justified as necessary for the performance of a contract. While personalization is a feature, the Court suggested it may not be part of the core contractual service for which users sign up, making this legal basis fragile for wide-scale data aggregation. This puts pressure on all businesses, not just social media platforms, to re-evaluate if their data processing activities are truly indispensable for their primary service offering.
Finally, the judgment delivered a powerful clarification on consent, particularly concerning special categories of personal data. The Court noted that user activities can allow a platform to infer sensitive information like ethnic origin, political opinions, or sexual orientation. For such data, the GDPR requires explicit consent. The CJEU found that a dominant platform like Meta is in a position where users may not feel they have a genuine choice but to accept the terms. Therefore, consent bundled into a general acceptance of terms and conditions is insufficient. This reinforces that for sensitive data, the consent mechanism must be separate, unambiguous, and genuinely freely given.
SOURCE
Court of Justice of the European Union
