Today’s judgment from the Court of Justice of the European Union (CJEU) in Meta’s case (Case C-252/21) offers new insights into the complexities surrounding personalized advertising under the EU General Data Protection Regulation (GDPR). In the decision, in which the CJEU gave the green light to an attempt by the German competition authority (FCO) to rely on the GDPR, the court also explored the lawful bases for data processing under the GDPR, notably for personalized advertising.
Given the decision’s legal nuances, it is perhaps unsurprising that early reports on its contents have been somewhat confused. For example, it has been suggested that the CJEU proclaimed that Facebook must now ask users for consent to process their data for personalized advertising. In this short text, I attempt to dispel misconceptions and highlight key takeaways from this important decision. Note that this analysis is a preliminary, first-impression look at the case.
I have divided my discussion into two parts. In this first part, I cover the lawful basis for the processing of personal data for personalized advertising (contractual necessity, legitimate interest, and consent). In the second part, I will examine the issue of special category (sensitive) data and what “indirect” enforcement of the GDPR by competition authorities means for the one-stop-shop principle.
To process personal data lawfully under the GDPR, businesses must rely on one of the “lawful bases” of data processing listed in Article 6 GDPR. This list includes, among other things, “consent,” “contractual necessity,” and “legitimate interests” bases. In January, the Irish Data Protection Commission (DPC) issued a decision, largely forced by the European Data Protection Board (EDPB), in which it found that Meta cannot rely on contractual necessity for personalized advertising on its Facebook and Instagram platforms. Meta disagrees with that GDPR interpretation, and I think their critique has merit. For more detail, see my blog post on the decision and my podcast with Eric Seufert.
Meta’s response to the Irish DPC’s decision was to switch from contractual necessity to legitimate interests as a basis for personal data processing for personalized advertising. Eric Seufert and I covered that in yet another podcast. Critics have decried Meta’s decision as a move to an “equally illegal basis.”
Among the remaining crucial questions is whether Meta can rely on legitimate interests for personalized advertising. And if they can’t, can they fall back on express user consent? Those who generally oppose personalized advertising likely hope the answer to both questions is: “no.” Despite some hasty public comments, however, today’s judgment does not resolve those questions either way.
First-Party vs Third-Party Data
It’s crucial to note that the CJEU case focused on “third-party data”: collected off-platform by other websites or by Meta services than Facebook. The lawful basis for processing such data is an important question. Still, it is not nearly as important as “first-party” data: those data processed by Facebook and collected directly by Facebook.
This doesn’t mean the CJEU’s judgment is irrelevant to questions about first-party data processing. It does, however, mean that we have to be very careful when reading the decision to notice the extent to which the court went beyond the scope of the case before them. Crucially, when the court discusses the key “questions 3 to 5” (questions asked by a German court), it prefaces the discussion by rephrasing the asking court’s question as follows:
… the processing of personal data by the operator of an online social network, which entails the collection of data of the users of such a network from other services of the group to which that operator belongs or from visits by those users to third-party websites or apps …
This “data at issue” or “processing in question” is the primary subject of the court’s proceeding discussion.
Addressing contractual necessity, the CJEU ruled that, for the processing of personal data to be lawful under this basis, it must be objectively indispensable to the contract’s primary objective. The processing cannot be merely useful.
The judges questioned whether personalization was necessary for a social-network service but did not definitively rule on this matter, leaving the issue to be resolved by national courts. Interestingly, the CJEU did not directly reference personalized advertising. Instead, it explicitly discussed personalization of content. The court also noted more generally, however, that “it does not appear, subject to verification by the referring court, that the processing at issue in the main proceedings is strictly necessary for the performance of the contract” (para 149). And “the processing at issue in the main proceedings” does include personalized advertising (para 27).
Should we view the court’s comments as extending to first-party data? The text of the decision neither expressly limits the court’s remarks to third-party data, nor does it explicitly refer to first-party data. Given the scope of the question that the CJEU itself said it is answering (limited to third-party data), it could arguably be an out-of-context reading of, e.g., para 102, to extend it to first-party data. Notably, the conclusion of that discussion in para 104 also makes it clear that it applies to third-party data.
Setting that aside, even if only applicable to third-party data, the court’s approach is open to criticism of the kind that Kristian Stout and I leveled against the EDPB’s approach:
This stilted view of what counts as a “service” completely fails to acknowledge that “necessary” must mean more than merely technologically possible. Any service offering faces both technical limitations as well as economic limitations. What is technically possible to offer can also be so uneconomic in some forms as to be practically impossible. Surely, there are alternatives to personalized advertising as a means to monetize social media, but determining what those are requires a great deal of careful analysis and experimentation. Moreover, the EDPB’s suggested “contextual advertising” alternative is not obviously superior to the status quo, nor has it been demonstrated to be economically viable at scale.
Thus, even though it does not strictly follow from the guidelines, the decision in the Meta case suggests that, in practice, the EDPB pays little attention to the economic reality of a contractual relationship between service providers and their users, instead trying to carve out an artificial, formalistic approach. It is doubtful whether the EDPB engaged in the kind of robust economic analysis of Facebook and Instagram that would allow it to reach a conclusion as to whether those services are economically viable without the use of personalized advertising.
On the topic of legitimate interests, the CJEU made two significant assumptions.
First, it asserted that Facebook users could not reasonably expect their data collected by other services (third-party data) to be processed by Facebook for personalized advertising. The court gave no justification for its assertion? that, even if a service is offered free of charge, users cannot reasonably expect the service provider to process user data collected by third parties for personalized advertising.
Notably, the CJEU did not state that explicitly about first-party data (this is highlighted in para 151). Perhaps the court intentionally left open the potential to use a “legitimate interests” basis for processing first-party data for personalized advertising. It could also be that the court simply decided to stay within the scope of the questions asked and that we should not draw any broader conclusions.
Second, the Court emphasized that this kind of data processing significantly affects the user, due to its comprehensive nature and the unlimited scope of data it could potentially encompass. This, the court argued, could create the impression of continuous monitoring of the user’s private life.
This line of argumentation may be aimed at distinguishing large social networks from other online service providers who also rely on legitimate interests for personalized advertising. Large social networks may be held to a stricter standard, given their vast data collection.
If these comments on legitimate interests are interpreted as encompassing all data, not just third-party data, it could complicate matters for social networks relying on this basis. As I noted, however, the better reading seems to be that the CJEU limited its answer to the scope of the question asked by the German court (i.e., to third-party data).
In the event of further restrictions on using contractual necessity and legitimate interests bases for personalized advertising, businesses might look to consent as a solution. The CJEU, however, also expressed some reservations here, particularly for large digital services. Drawing on antitrust/competition law and the concept of a “dominant position,” the court asserted that a service’s market dominance is relevant in determining whether user consent is “freely given.” If not freely given, then consent is presumed invalid.
The invalidity of consent and restrictive interpretations of contractual necessity and legitimate interest could significantly limit the kind of personal data processing that large service providers can do. Some would likely argue that the result is a de facto prohibition of personalized advertising by large digital service providers, but we are not there yet. The court affirmed that merely having a dominant position does not necessarily mean that a user’s consent is invalid. But it did grant national authorities, especially competition authorities, another tool to push in that direction.
Importantly, the court raised the possibility of paid or subscription alternatives to free services dependent on consent. Such alternatives must provide not only access to the service but an “equivalent” level of service: “users are to be offered, if necessary for an appropriate fee, an equivalent alternative not accompanied by such data processing operations” (para 150).
It is unclear what equivalence is supposed to mean in practice. Perhaps businesses would be required to offer the same service without personalized advertising, but also without additional features. Or, at least, to offer one among several tiers of paid subscriptions, which come neither with personalized advertising nor additional features. The questions raised here are analogous, if not identical, to some of the issues raised by the Digital Markets Act (DMA)—especially its recitals 36-37.
One welcome feature of the court’s approach is that it rejects the idea that consent is not “freely given” whenever the alternative to consent is not free of charge (i.e., when the alternative to consent is to pay).
The court’s own discussion seems to include an interesting contradiction. On the one hand, the CJEU rejects that using third-party personal data for personalized advertising is necessary for the performance of a contract between the user and Meta/Facebook. On the other hand, it suggests offering a version of the service without data processing for personalized advertising, among other things, “if necessary for an appropriate fee.” What is the “appropriate fee” meant to be “necessary” for? Necessary for the service provider to be able to fund providing the service? How is that not a “contractual necessity”? This illustrates the stilted formalism of the narrow interpretation of “contractual necessity.”
To be continued in part 2, covering special category (sensitive) data and what “indirect” enforcement of the GDPR by competition authorities means for the one-stop-shop principle.