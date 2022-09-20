A non-binding opinion issued today by an influential adviser to the European Union’s highest court could portend a major regional development at the intersection of privacy regulation and competition – or “privacy versus competition”, because it is sometimes tightly framed.

The notice follows a referral to the Court of Justice (CJEU) regarding an action by Facebook (aka Meta) challenging a 2019 order by the German competition watchdog (the FCO) against the so-called “superprofiling” of Facebook users. The FCO case argues that the tech giant’s combination of user data across multiple services and websites — ergo, Facebook’s complete denial of user privacy — is itself an “exploitative abuse.” related to its market power and therefore also an abuse of the competition laws which the FCO is competent to regulate.

Facebook appealed the FCO’s order arguing that anti-rust officials should essentially stay in their lane because they are not the designated watchdogs for Facebook’s General Data Protection Regulation (GDPR). the EU.

But today’s opinion opposes such a compartmentalization. And if the Court follows his adviser’s advice, it could give a major boost to privacy rights across the EU, as antitrust authorities get the green light to examine the compatibility of data protection in as part of their assessment of the competition rules. (Although it is worth pointing out that all we have today is an opinion, not binding law; the CJEU itself has yet to decide the issues before it.)

This is important because the historically siled approach to enforcement affecting the digital sphere has failed to keep pace with the giants of the mining platform, allowing some companies to acquire a massive market power through systematic abuse of privacy – despite the EU having long-standing privacy rules. (on paper).

So a key element of blame is really a failure of autonomous enforcement of data protection law by European regulators – so whether the bloc’s competition authorities can also take life-related data abuse into account when assessing competition issues, it widens the scrutiny net.

Extract from the press release on the opinion of the AG issued by the Luxembourg court:

“In his conclusions delivered today, Advocate General Athanasios Rantos, first of all, considers that, if a competition authority is not competent to rule on an infringement of the GDPR, it can nevertheless, in the exercise of its powers own, take into account the compatibility of a commercial practice with the GDPR. In this regard, the Advocate General emphasizes that the compliance or non-compliance of this behavior with the provisions of the GDPR may, in the light of all the circumstances of the case, constitute an important clue as to whether this behavior constitutes a breach of contest rules. »

AG Rantos’ opinion goes on to observe that any assessment made by a competition authority in relation to GDPR compliance would be “without prejudice” to the powers of the competent supervisory authority under the regulation, adding: “Therefore, the competition authority must take into account any decision or investigation by the competent supervisory authority, inform the latter of all useful details and, if necessary, consult it.

Thus, the direction of travel advocated by the CJEU adviser is towards greater collaboration between competition and privacy regulators.

In 2019, the FCO ordered Facebook to stop combining user data – threatening, with a bang, a screeching halt to its surveillance-based business model (at least in Germany). Yet the legality of Meta’s data processing was also contested under European privacy law – but procedural bottlenecks have led to complaints over the years and delayed GDPR enforcement against the most powerful technological platforms (where the need for action is most acute). So if EU antitrust authorities are empowered to also consider privacy breaches and work more closely with data protection regulators, it could provide a much-needed boost to enforcement. law, which would help remove some of the bottlenecks.

The AG’s opinion could also send a signal to the EU antitrust authority to rework its approach. The bloc’s competition unit has historically been reluctant to combine privacy and competition – hence, in recent years, its willingness to override key privacy objections raised against the Google-Fitbit merger and allow the agreement to move forward with only a few concessions.

While the FCO’s case against Facebook is rightly considered groundbreaking, in the years since the German regulator first began to look into Facebook’s exploitation of user privacy, other regional watchdogs have realized the need to evolve their approach – and joint work between privacy and competition authorities is already on the rise – with, for example, the ICO and CMA from the United Kingdom working together on a competition case related to Google’s “Privacy Sandbox” proposal to evolve its advertising technology; and French competition and privacy authorities are consulting over complaints against Apple’s App Transparency Tracking feature (which the French antitrust watchdog refused to block), not to cite just two recent examples of consultation and co-working.

Quickly zooming out, the EU also approved a major ex ante update to competition rules – called the Digital Markets Act (DMA) – which sets binding operational requirements on the most powerful platforms that include certain provisions limiting how the data may be used.

Application of the DMA is to begin next year. A new competition regime for the most powerful companies is therefore absolutely imminent in Europe. (Germany has already passed a nationwide reboot of its digital competition rules – granting special abuse powers to the FCO, which earlier this year named Facebook as one of several tech giants under the jurisdiction of the FCO. scheme; the classification being valid for five years.)

Consent and sensitive data

The AG’s opinion addresses a number of other legal issues that came before the court via Facebook’s appeal of the FCO’s initial anti-superprofiling order – with the adviser believing that dominance over the market, in itself, does not call into question the validity of a consent-based legal basis for a social media service to process user data.

However, the adviser suggests that the muscle of the market should be factored into the assessment of freedom of consent – ​​what he says is for the controller to demonstrate. (NB: The GDPR standard for consent as the legal basis for processing personal data is that it must be specific, informed and freely given.)

The GA also does not exclude the possibility that Facebook may process certain personal data relying on an alternative legal basis to consent – but only if the processing concerns operational elements that are actually necessary for the provision of services related to the provision of the Facebook Account. And there he seems to question whether “personalized ads” fit the definition of “necessary”.

“[T]the Advocate General considers that, although the personalization of content and advertising, the continuous and transparent use of the services of the Meta Platforms group, the security of the network or the improvement of the product may be in the interests of the user or controller, these elements of the practice in question do not appear necessary for the provision of the aforementioned services,” the Court wrote in the press release. The AG also decides on an issue related to the processing of sensitive personal data (defined in the GDPR as data on racial or ethnic origin, political affiliation, health data, sexual orientation, etc.) – and on profiling based on sensitive characteristics – stressing that a prohibition in the regulation of such processing may apply in this context; and, further, that for a GDPR waiver to apply (e.g. data that the data subject has “obviously made public”) the user must be “fully aware that, by an explicit act, he makes personal data public”. “According to the Advocate General, behavior consisting in visiting sites and applications, entering data on these sites and applications and clicking on buttons integrated therein cannot, in principle, be equated with behavior manifestly making public the user’s sensitive personal data. data,” the statement continued, suggesting that the act of background surveillance Facebook imposes on users through tracking infrastructure built into its own services and third-party websites would not be a viable loophole to avoid the ban. to process sensitive data. Which would mean that Facebook would either have to not process sensitive user data at all (good luck!) – or explicitly ask people for permission to do so. (And you can’t imagine many people voluntarily agreeing to let Facebook track such things.)

It remains to be seen, of course, whether the Court will agree with its adviser on all these points.

The CJEU often, but not always, follows the reasoning of its AGs – so the opinion itself is certainly noteworthy. Typically, it takes between three and six months after an GA opinion for the CJEU to issue a ruling, meaning the soonest it could be at the end of this year.

Once the CJEU issues its decision, it will be sent back to the referring court – in this case, the German court hearing Facebook’s appeal against the FCO’s order – meaning that a final verdict on this case should take place next year.