On 4th July 2023 the Court of Justice of the European Union (CJEU)
issued a judgment relating to case C-252/21 involving Facebook’s parent company Meta.
This case relates to Meta’s compliance with the General Data Protection Regulation (GDPR) in Europe. Our local law,
The Data Protection (Bailiwick of Guernsey) Law, 2017 is equivalent to the EU’s GDPR.
What is significant about this?
The CJEU judgment has significant implications on both competition and data protection regulation in Europe, which will likely have knock-on effects in jurisdictions that target goods and services at people in Europe.
What does the judgment say?
The CJEU judgment covers four issues:
- It confirms that competition authorities can sometimes determine data protection breaches.
Authorities that regulate competition law may become aware of data protection compliance issues while exercising their legal powers. The judgment recognises this overlap, and says that competition authorities must “consult and cooperate sincerely” with data protection supervisory authorities so that both authorities can act effectively within their remit.
- It clarifies processing of more sensitive ‘special category data’.
The Meta Pixel tracks people as they visit and interact with websites. Some companies that track people like this use the ‘public domain’ lawful processing condition to use special category data (e.g. sexuality, genetics, political views etc.) about people who visit certain websites. The judgment says that merely visiting a website (and perhaps entering information in an online form) does not mean that the person has made an explicit choice to ‘manifestly make public’ their presence on that site, or their interactions with the site and therefore companies cannot rely on 'public domain' as a lawful basis for collecting and using that information.
- It emphasises the definition of the word ‘necessary’ in data protection law.
Meta relies on the contractual ‘lawful processing condition’ to use personal data. However, the judgment says this contract does not extend to using people’s personal data for anything that is not ‘necessary’ under that contract i.e. fundamental to the delivery of the service. Specifically, in this case, showing people personalised advertisements is not necessary, it is a revenue stream for Meta.
- It confirms that ‘consent’ can be valid even if the company dominates its market.
For companies to be able to use the ‘consent’ lawful processing condition they need to demonstrate that a person has ‘freely given’ that consent. This may be difficult to prove when a company (such as Meta, in this case) hold a dominant position in the market as people have less choice over what platform they can use, but the judgment says it is possible and it remains up to the company to prove that people are able to freely give their consent.
What can you learn from this?
1. If you are regulated under
competition law you need to understand how this interacts with data protection law.
2. Whenever you are using
special category data you must take extra care. People should be able to understand what you are doing, what information about them you are collecting, and what your intentions are for that data.
3. You need to carefully consider whether the information you collect and use about people is ‘
necessary’ for whatever purpose you are using it for, and whether you are using a valid 'lawful processing condition’.
4. Take care over your use of the ‘
consent’ lawful processing condition, especially if you are the dominant player in your market. You must be able to demonstrate that you are giving people genuine choice over your use of their personal data.
&
Indulge