In 2019, the German Competition watchdog Federal Cartel Office (FCO) issued a remarkable decision against Facebook, which has been subject to on-going legal proceedings that have kept antitrust and data protection lawyers busy. Recently, the Higher Regional Court of Düsseldorf in a surprise move halted the proceedings and filed a request for preliminary ruling to the European Court of Justice (ECJ) On 23 April this request for a preliminary ruling was published by the court. It comprises central questions of data protection law and the relationship between competition authorities and data protection authorities.
Firstly, the Duesseldorf Court (which is the competent court for appealing FCO decisions) ordered suspensive effect in the interim proceedings and explained that it was unlikely Facebook's conduct constituted – irrespective of its compatibility with data protection law – an infringement of competition law. In contrast, the higher-tier competition-law senate of the Federal Court of Justice stated last year that it did not doubt that Facebook's behaviour was abusive and overturned the Duesseldorf Court decision in an unusually extensive ruling that offered reasoning different from that of the FCO. What followed was a procedural interlude that hindered the implementation of the FCO decision.
On 24 March, the Duesseldorf Court considered the matter again and things took a surprising turn. The Court not only openly expressed its discontent with the Federal Court of Justice's reasoning in the interim proceedings, but also suspended the procedure and filed a reference to the ECJ for a preliminary decision.
The starting point for the Duesseldorf Court was the consideration that – in line with the FCO decision – a violation of consumer protection standards such as those set by the GDPR can bring about an exploitative abuse of market power. The court refers to the British Airways Judgment by the Court of Justice (C-95/04) and explains that the competitive damage in such a case is the violation of the freedom of disposition over personal data, which is protected by the GDPR. Contrary to critical voices, the court also sees a causal connection between GDPR infringement and a company's dominant position since Facebook would "sensibly" not apply abusive conditions if competition was functioning or consumers had the possibility to avoid the conditions by choosing another supplier.
However, this finding led the Duesseldorf Court away from competition law and to an interpretation of the GDPR – arguably not its home turf – as well the role of competition authorities in the application of the GDPR. Since the ECJ is competent in the interpretation of EU law such as the GDPR, the Duesseldorf court referred questions on both issues to the judges in Luxembourg for a preliminary ruling.
The Request includes seven questions, two relating to the application of the GDPR and five to its content.
With its first question of the request, the Duesseldorf Court wants to know whether it is compatible with Art. 51 et seq. GDPR if a national competition authority finds in competition law proceedings that the contractual terms and conditions applied by a branch of a company are in breach of the GDPR and orders to change them, while the data processing by the company is in the competence of another branch of the company in another member state. In other words: can the FCO assess whether Facebook's practice is in line with the GDPR and address an order to the German branch in this regard if the data is processed by Facebook's Irish branch under supervision of the Irish Supervisory authority within the meaning of Art. 51 GDPR?
The second question of competence (which is the seventh question of the request by the court) asks whether a national competition authority assessing a possible abuse of a dominant position may take into account – for example, when weighing the interest of the parties – whether the dominant company's data processing is in accordance with the GDPR. Indeed, these issues are important for the relationship between competition authorities and GDPR supervisory authorities. Depending on how the answers turn out, they could deal a severe blow to the ambitions of certain competition authorities to tackle data protection violations with antitrust law and to support overwhelmed data regulators.
In addition to these two questions of competence, the request is made up of five questions concerning the interpretation of the GDPR. All five have significance for data driven companies such as Facebook, not only for competition law purposes, but for the application of the GDPR in general. In particular, the Duesseldorf Court raises the question to what extent a company can rely on legal grounds other than consent of users when collecting and converging personal data. In the case of Facebook, sources for the collection of such data can be services such as Facebook.com or Instagram (“Facebook Data”) and third-party services like websites or apps incorporating social plugins such as the Like-Button or Facebook login (“Off Facebook Data”).
The second question of the request concerns the scope of Art. 9 GDPR: Does a company (like Facebook) process special categories of personal data when a user visits or enters data on a website or app whose subject matter concerns special categories of data (e.g. registering in an LGBT dating app), such as Off Facebook Data that Facebook collects (and connects with the user’s Facebook account)? If the answer is yes, does Art. 9 (2) e) GDPR apply (i.e. does the user make such data “manifestly public” when accessing such websites and app) and is such data processed by Facebook?
With the third question of the request, the Duesseldorf Court wants to know whether a company such as Facebook can rely on Art. 6 (1) b) and f) GDPR when it combines Facebook Data and Off Facebook Data for the purposes of personalising content and ads, data security, improving its services and a seamless use of products within Facebook group services (i.e. the Purposes).
With its fourth question of the request, the Duesseldorf Courts asks whether a company such as Facebook can rely on Art. 6 (1) f) GDPR when it connects data from its own services or third party websites and apps, such Facebook Data and Off Facebook Data to –
process personal data of minors for the Purposes (relevant when minors sign up to Facebook without the approval of legal guardians, which is deemed to be necessary for a valid contract according to German legal scholars);
provide statistics and analysis to other companies for their benefit (e.g. analysing campaigns that companies are running on Facebook);
communicate with users for direct marketing purposes;
use data for research purposes (e.g. understanding important social topics like perceptions about climate change);
inform public authorities about criminal offences, illegal use of services, violations of guidelines, etc.
With the fifth question of the request, the Duesseldorf Court wants to know if processing personal data and/or connecting Facebook Data and Off Facebook Data can be based on Art. 6 (1) c) GDPR (complying with legal obligation), Art. 6 (1) d) GDPR (protecting vial interests of a natural person) or Art. 6 (1) e) GDPR (carrying out a task in the public interest). This question is relevant according to the Court because those provisions (in connection with member state laws) can replace consent as a legal basis.
With the sixth question of the request, the Duesseldorf Courts asks if consent according to GDPR can constitute a legal basis if the controller is a dominant company.
Questions two to five touch upon important questions on the application GDPR rules. If the ECJ finds in reply to the sixth question that dominant companies generally cannot rely on consent, this would create a data protection earthquake, which could have a fundamental impact on the business model of Facebook and other tech giants.
The ball is now in the court of the ECJ. The answers that the judges in Luxembourg ultimately provide will not only have elementary significance for the application of antitrust law in the digital economy, but will also give the ECJ the opportunity to interpret fundamental provisions of the GDPR.