Is surveillance capitalism legal in the EU? (Part 2)
A look at the CJEU's judgment in Meta Platforms Inc and Others v Bundeskartellamt
This series of posts looks at the legalities of surveillance capitalism in the context of EU data protection law, which has been covered in several important decisions in the EU in recent years. The first post in this series looked at whether behavioural advertising can be carried out on the basis of contractual necessity (spoiler, it cannot!).
This post looks at the judgment of the Court of Justice of the European Union (CJEU) concerning the legalities of Facebook's surveillance capitalism under EU law. The parties to this case were of course Meta and Bundeskartellamt, the German competition authority.
The Facts of the Case
In Bundeskartellamt, the CJEU described the Facebook service as follows:
The business model of the online social network Facebook is based on financing through online advertising, which is tailored to the individual users of the social network according, inter alia, to their consumer behaviour, interests, purchasing power and personal situation. Such advertising is made possible in technical terms by the automated production of detailed profiles in respect of the network users and the users of the online services offered at the level of the Meta group. To that end, in addition to the data provided by the users directly when they sign up for the online services concerned, other user- and device-related data are also collected on and off that social network and the online services provided by the Meta group, and linked to their various user accounts. The aggregate view of the data allows detailed conclusions to be drawn about those usersâ preferences and interests.1
In using Facebook, users must adhere to its terms of service which refer to the company's data and cookies policies. These policies explain how Meta processes users' personal data while using the platform.
Included in the data processed is what is called 'off-Facebook data'. This consists of data about "visits to third-party webpages and apps, which are linked to Facebook through programming interfaces â âFacebook Business Toolsâ â as well as data concerning the use of other online services belonging to the Meta group, including Instagram, WhatsApp, Oculus and â until 13 March 2020 â Masquerade.â2
By a decision made in February 2019, the Federal Cartel Office in Germany prohibited Meta from processing off-Facebook data of German users and processing German user data without consent. It also required that the terms of service be changed so that it made clear that off-Facebook data would not be used without consent and that the giving of consent for such processing should not be a condition for using Facebook.
This decision was based on the Office's view that Facebook's terms of service and use of user data abused its dominant position in the online social network market in Germany. It cited Facebook's lack of compliance with the GDPR in this regard, in particular the following two provisions:
Article 6.1, which provides the legal bases for which data may be processed under the Regulation.
Article 9.2, which provides the exceptions to the prohibition of the processing of special categories data (i.e., providing the legal bases for processing sensitive data).
Meta contested this decision, but also made two key changes to the Facebook service:
In July 2019, Meta introduced new terms of service which stated that, rather than users paying to use Facebook, users had to agree to being shown advertisements.
In January 2020, Facebook introduced a feature called 'Off-Facebook Activity' that allows users to view a summary of the information that Meta collects about them from their activities outside of the platform that are linked to their account on Facebook.
The contested decision was eventually put before the Higher Regional Court of DĂźsseldorf, which made a preliminary reference to the CJEU to answer questions on EU law, including those pertaining to the GDPR.
Questions of Law
The questions of law submitted by the DĂźsseldorf court to the CJEU concerning Facebook's data processing practices and compliance with the GDPR were essentially the following:
When Meta collects information about user activity on flirting apps, gay dating sites, political party websites or health-related websites and links this information to user accounts on Facebook, does this constitute the processing of special categories data under Article 9.1 GDPR? If so, does the manifestly making personal data public under Article 9.2(e) apply to such processing by Meta?
What legal basis can Meta rely on to process user data to operate a social network funded by a business model based on surveillance capitalism?
Can consent from users be freely given to Meta, as required under GDPR, despite the company being a 'dominant undertaking?'
The CJEU's Judgment
Processing of Sensitive Data from Off-Facebook Activity
The Court started its answer to this question by explaining the workings of Article 9, which specifies the rules on the processing of sensitive personal data.
Article 9.1 provides a general prohibition on the processing of such data and also lists the types of data this includes, for example health data and data revealing racial or ethnic origin. However, Article 9.2 lists the exceptions to this prohibition whereby a data controller can process sensitive data where one those listed exceptions applies.
Regarding Facebook specifically, the Court found that Meta's collection of user activity from flirting apps, gay dating sites, political party websites and health-related websites involved the collection of personal data. This is the case even if users do not directly enter information on these apps or websites when they register or place an online order.3
On this basis, the Court therefore stated that collecting such data and linking it to user accounts on Facebook must be regarded as the processing of sensitive personal data under Article 9.1. The processing of such data therefore must be covered by one of the exceptions under Article 9.2.4
Regarding sensitive data that are manifestly made public, which is one of the exceptions listed under Article 9.2, the Court made the following general observations:
This exception only applies where the data are manifestly made public by the data subject themselves, rather than by a third party.5
This exception, as well as all the other exceptions listed under Article 9.2, must be interpreted strictly.6
For this exception to apply, it needs to be shown that the data subject "had intended, explicitly and by a clear affirmative action, to make the personal data in question accessible to the general public."7
Applying these observations to the individuals accessing the aforementioned apps and websites, the Court made the following stipulations:
Merely accessing these apps or websites does not mean that the data subject intended to make such activity public or for that information to be linked to them.8
Making interactions with these apps or websites public may be determined by the individual settings chosen by that user if such settings are available to users and they are able to make informed decisions in adjusting them, otherwise it must be shown that the users explicitly consented to making such interactions public on the basis of express information.9
In any case, users do not manifestly make their visits to sensitive apps or websites public merely by online social media networks like Facebook collecting information about such visits via cookies or other similar technologies.10
Legal Basis for Surveillance Capitalism
In answering this question, the Court made several preliminary observations:
If a dataset comprises of both sensitive and non-sensitive data, and the two are not separated during the processing operation, then the dataset is subject to the prohibition on the processing of sensitive data under Article 9.1 of the GDPR. This is unless one of the derogations under Article 9.2 applies.11
For the processing of personal data to be lawful under Article 6.1, only one of the legal bases under that provision needs to apply.12 Additionally, the list of legal bases under that provision should be seen as "an exhaustive and restrictive list of the cases in which processing of personal data can be regarded as lawful."13
If personal data cannot be processed on the basis of consent because the controller cannot meet the requirements of consent under the GDPR, then the processing may still be justified if it meets the requirements of necessity for the bases under paragraphs (b) to (f) in Article 6.1.14 Those legal bases from (b) to (f) must be interpreted restrictively.15
It is for the controller to prove that the personal data it processes are processed for specified, explicit and legitimate purposes in a lawful, fair and transparent manner. The GDPR also requires the controller to inform data subjects of the processing purposes and the legal basis for the processing.16
Following these preliminary points, the Court went through each of the legal bases under Article 6.1 and provided guidance on how to interpret these provisions and when they could apply.
Contractual necessity
Contractual necessity is an issue covered by the European Data Protection Board in its January 2023 decision regarding the use of behavioural advertising by Facebook. In that decision (the subject of the previous post in this series), the EDPB found that behavioural advertising could not be justified on the basis of contractual necessity, and here in Bundeskartellamt the CJEU reached the same conclusion.
According to the Court, to rely on contractual necessity, it must be shown that the processing of personal data is "objectively indispensable for a purpose that is integral to the contractual obligation intended for the data subject."17 In other words, the controller must show that without the data processing, the contract cannot be fulfilled.
This therefore means that the processing of personal data that is merely "useful" for the fulfilment of the contract is insufficient. The processing must be "essential for the proper performance of the contract concluded between the controller and the data subject."18
Regarding personalised content on Facebook, the Court found this to only be "useful" to the user and not essential to fulfilling the contract with users set out in its terms of service:
...the fact remains that...personalised content does not appear to be necessary in order to offer that user the services of the online social network. Those services may, where appropriate, be provided to the user in the form of an equivalent alternative which does not involve such a personalisation, such that the latter is not objectively indispensable for a purpose that is integral to those services.19
On this basis, the Court concluded that online advertising does not seem necessary to provide Facebook, which is an online social network service. Contractual necessity can therefore not be used for personalised advertising on such services.20
Legitimate interest
To rely on a legitimate interest as the legal basis for data processing, the Court noted three cumulative conditions that need to be met:21
It needs to be shown that the controller or a third party is pursuing a legitimate interest. This means that the controller must inform data subjects of the legitimate interests being pursued at the time that their data are collected.22
The processing of personal data must be necessary to pursue that legitimate interest. This requires proof that "the legitimate data processing interests pursued cannot reasonably be achieved just as effectively by other means less restrictive of the fundamental rights and freedoms of data subjects."23
The legitimate interest being pursued, and the data processing it entails, must not take precedence over the interests or fundamental freedoms and rights of the data subjects. This means that the rights of the data subjects and the interests of the controller must be balanced, taking into account the relevant context of the processing.24
On personalised advertising, the Court did note recital (47) of the GDPR which states that direct marketing may be regarded as a legitimate interest.25 However, this still requires a balancing test to be carried out to ensure compliance with the legitimate interest provision under Article 6.1(f).
On this, the Court argued that Facebook users "cannot reasonably expect that the operator of the social network will process that user's personal data, without his or her consent, for the purposes of personalised advertising."26 Accordingly:
...it must be held that the interests and fundamental rights of such a user override the interest of that operator in such personalised advertising by which it finances its activity, with the result that the processing by that operator for such purposes cannot fall within the scope of point (f) of the first subparagraph of Article 6(1) of the GDPR.27
Consent
Regarding consent as a legal basis for processing, the Court set out the relevant requirements for this under the GDPR:
Consent must be freely given, specific, informed and unambiguous.28
Consent is not freely given if the data subject does not have a genuine or free choice or is unable to refuse or withdraw consent without detriment.29
Consent is not freely given if there is an imbalance between the data subject and the controller.30
Consent is not freely freely given if it cannot be given to different processing operations where such granularity is appropriate in the given context.31
Consideration must be had where the performance of a contract is conditional on consent to data processing that is not necessary for the performance of that contract.32
With this, the Court held that Facebook's dominant position in the social network market does not necessarily prevent it from meeting the aforementioned requirements of consent and processing data on this basis.33 However, the Court stressed that such a factor could impact whether consent can be freely given due to the lack of choice for the user that Facebook's dominant position may imply.34
Additionally, the Court noted that Facebook's position in the market may create an imbalance whereby Facebook could impose "conditions that are not strictly necessary for the performance of the contract."35 On this, the Court reiterated its finding that the processing of data for personalised advertising cannot be carried out on the basis of contractual necessity.36
Based on these stipulations, the Court stated that Facebook users must have the opportunity to not give their consent to such processing "without being obliged to refrain entirely from using the service offered by the online social network operator." Alternatively, the Court suggested that users who refuse to give their consent should "be offered, if necessary for an appropriate fee, an equivalent alternative not accompanied by such data processing operations."37
The Court also held that Facebooks users should be given the opportunity to consent to the use of on- and off-Facebook data separately. Otherwise, consent to the processing of off-Facebook cannot be considered to be freely given due to the scale of that processing and that it falls outside the reasonable expectations of users.38
Final Remarks
Although the CJEU stressed that it was for the domestic court in Germany to make the ultimate determinations on the legality of the processing by Facebook, the Court has provided important guidance on several issues impacting the legality of surveillance capitalism in the EU.39
In fact, the judgment ended up becoming a pre-cursor to a ban on Meta's behavioural advertising by the Norwegian data protection supervisory authority. But the decision will also have impacts for other social media platforms that rely on surveillance capitalism as part of their business models.
Overall, Bundeskartellamt puts further constraints on the feasibility of surveillance capitalism in the EU. As data protection expert Carey Lening notes in her commentary on the case:
Itâs important to note that the Court of Justiceâs decision doesnât just ruin Metaâs holiday. For companies like Meta that build their profits off of our data, this decision will force a reckoning: the days of relying on a suite of legal justifications like performance of a contract or legitimate business interests to process personal data may soon be over.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 27.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 28.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), paras. 71 and 72.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 73.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 75.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 76.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 77.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), paras. 78 and 79.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), paras. 80-83.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 84.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 89.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), paras. 90 and 94.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 90.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), paras. 91-92.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 93.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 95.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 98.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 99.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 102.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 104.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 105.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 107.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 108.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 110.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 115.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 117.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 117.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 142.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 143.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 144.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 144.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 145.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 147.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 148.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 149.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 149.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 150.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 151.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 96.
@mahdi Thanks for the shout-out and through discussion of the Bunderskartellmart decision. I'm sure you, like I are also keeping a watchful eye open to the next Noyb case before the CJEU discussing whether sensitive personal data shared in one context (as part of a panel discussion) is considered to be manifestly made public (Article 9.2(e) for purposes of targeted advertising.
The AG's opinion is at least interesting on its own. https://curia.europa.eu/juris/document/document.jsf;jsessionid=5881C05E616954C1EE2D8D11C112955E?text=&docid=285201&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=2924713