Yesterday, I delved into the recent judgment in the Meta case (Case C-252/21) from the Court of Justice of the European Union (CJEU). I gave a preliminary analysis of the court’s view on some of the complexities surrounding the processing of personal data for personalized advertising under the GDPR, focusing on three lawful bases for data processing: contractual necessity, legitimate interests, and consent. I emphasized the importance of a nuanced understanding of the CJEU decision and pointed out that the decision does not determine definitively whether Meta can rely on legitimate interests or fall back on user consent for personalized advertising.
In this second part, I continue my exploration, addressing the CJEU’s discussion of processing special-category (sensitive) personal data. Moreover, I’ll delve into the implications of this judgment for enforcement by competition authorities of the EU’s General Data Protection Regulation (GDPR), shedding light on the future of the one-stop-shop principle.
Following the CJEU decision, the special-category data issue remains difficult for digital services. Still, we don’t have too much new guidance from the CJEU. And regarding the enforcement question, the use of “indirect” enforcement by competition authorities could significantly affect the trajectory of data-privacy regulations in the European Union.
Undermining One-Stop-Shop GDPR Enforcement
Even with a single set of general rules in the GDPR, navigating the maze of differing data-protection enforcement approaches across EU member states could be challenging. The European Union recognized this, and introduced the one-stop-shop principle under the GDPR in a positive move toward harmonization. The core idea is that you don’t have to deal with various national data-protection authorities (DPAs) if you’re a business operating in multiple EU member states. Instead, you have one lead supervisory authority (LSA), typically located in the member state where your company has its main establishment or where your central administration in the EU is situated.
This case arose from an investigation by the German competition authority (the FCO), which had decided that Meta abused its dominant position (in the competition-law meaning of that term) by engaging in conduct that violated the GDPR. The German court, which heard the resulting case between Meta and the FCO, was unsure whether this was something a competition authority could do, so it asked the CJEU.
The CJEU concluded that a national competition authority could do that, but with several limitations. First, it cannot depart from a decision of a privacy authority. Second, where there is doubt, it must “consult and seek the cooperation” of privacy authorities. But if the relevant privacy authorities do not object or don’t reply “within a reasonable time” once consulted, then the national competition authority can proceed.
In this case, the Irish Data Protection Commission (DPC) was consulted, and they informed the German FCO that they did not investigate the issues in question and didn’t object to the FCO’s actions.
It may seem too strong to say that the CJEU’s approach undermines the one-stop-shop principle, in that it effectively gives the competent privacy authority veto power. From the perspective of a business operating across the EU, however, this situation may significantly undermine the benefits of harmonizing GDPR enforcement.
There may be operational reasons (e.g., staffing) why a competent privacy authority may not be able to effectively scrutinize the activities of various national competition authorities, especially if (following the CJEU judgment) those authorities become exceedingly enthusiastic about relying on perceived breaches of the GDPR.
The situation is further complicated in cases where a DPA might need to determine whether to contest a competition authority’s findings on the application of the GDPR, especially if an investigation is not already underway. The DPA might need to initiate an investigation to make this determination. Conducting such an investigation within a timeframe the competition authority deems “reasonable” may, however, present significant practical challenges.
Alternatively, the DPA might have to formulate a stance without the benefit of a comprehensive investigation. This approach could lead to several undesirable outcomes, such as erroneous decisions. Furthermore, it could deny the business under scrutiny the opportunity to present its perspective on the GDPR issues before the authority that holds the relevant jurisdiction.
Competition authorities could strategize their approach in a manner that may disadvantage privacy authorities. They may undertake lengthy and thorough investigations independently and only consult the relevant privacy authorities toward the end of their process. This could create an expectation for privacy authorities to agree with their findings on applying the GDPR within a comparatively shorter, “reasonable” timeframe. This significantly reduced review and agreement window could undermine the regulatory process’s balance and thoroughness.
Special Categories of Data (Sensitive Data)
The GDPR allows processing “special categories” of personal data in more limited circumstances than the standard lawful bases (legitimate interest, contractual necessity, and so on). This category includes: “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation” (Article 9(1) GDPR).
In business contexts, two situations justifying the processing of special-category data are likely to be relevant: (1) consent of the data subject and (2) “data which are manifestly made public by the data subject.”
In this case, the issue was twofold. The first question was when Facebook’s collection and use of off-platform (third-party) data might involve the “processing of special categories of personal data.” Second, under what circumstances could users be considered to have made their data manifestly public?
Regarding the first issue, the CJEU didn’t provide much guidance. It asserted that it is possible for data about users merely visiting some websites (without interacting with those sites beyond opening them) to reveal special-category data. But the CJEU left it to the national court to determine whether that is the case in any specific situation.
In doing so, the CJEU didn’t expressly follow the approach of Advocate General Athanasios Rantos, who suggested in his opinion in this case that “it might be worth distinguishing, where appropriate, between the processing of data which prima facie may be categorized as sensitive personal data, which alone allow profiling of the data subject, and the processing of data that are not inherently sensitive but require subsequent aggregation to draw plausible conclusions for profiling purposes.” The court’s judgment doesn’t seem to contradict AG Rantos’ “existence of categorization” analysis, but it also doesn’t endorse it.
Regarding the second issue, the court adopted a narrow interpretation of what it means for data to be made manifestly public—i.e., that a decision merely to visit a website does not count. Nor would any specific interaction with the website’s functionality (e.g., using “Like” or “Share”), unless a user decides ex ante in their settings to make such information “accessible to the general public” or explicitly consents to that while interacting with the website.
Meta already relies on user consent to utilize off-platform/ third-party data. Moreover, the German competition authority announced that it was happy with Meta’s recent changes to the “account center.” The German authority noted, however, that they may revisit the issue under a different legal basis (Section 19a of the German Competition Act, which I recently discussed here).
In conclusion, the CJEU’s decision in Meta’s competition case has several implications for GDPR enforcement. First, the decision raises concerns about undermining the one-stop-shop principle under the GDPR. While the CJEU’s approach gives veto power to competent privacy authorities, it may complicate the harmonization of GDPR enforcement for businesses operating across multiple EU member states. The need for privacy authorities to scrutinize the activities of various national competition authorities could pose operational challenges and hinder the benefits of harmonization.
Second, the judgment sheds some light on processing special-category (sensitive) personal data. However, the CJEU’s guidance on this matter remains limited, as it leaves it to national courts to determine whether particular data-collection practices involve processing special category data. The CJEU adopts a narrow interpretation of what constitutes data being made manifestly public, emphasizing that mere website visits or interactions without explicit consent or accessibility to the general public do not qualify.