IP case law Court of Justice

Referral C-252/21 (Facebook and Others, 22 Apr 2021)



1.
a) Is it compatible with Article 51 et seq. of the GDPR if a national competition authority – such as the German Federal Cartel Office – which is not a supervisory authority within the meaning of Article 51 et seq. of the GDPR, of a Member State in which an undertaking established outside the European Union has an establishment that provides the main establishment of that undertaking – which is located in another Member State and has sole responsibility for processing personal data for the entire territory of the European Union – with advertising, communication and public relations support, finds, for the purposes of monitoring abuses of competition law, that the main establishment’s contractual terms relating to data processing and their implementation breach the GDPR and issues an order to end that breach?
b) If so: Is that compatible with Article 4(3) TEU if, at the same time, the lead supervisory authority in the Member State in which the main establishment, within the meaning of Article 56(1) of the GDPR, is located is investigating the undertaking’s contractual terms relating to data processing?

If the answer to Question 1 is yes:
2.
a) If an internet user merely visits websites or apps to which the criteria of Article 9(1) of the GDPR relate, such as flirting apps, gay dating sites, political party websites or health-related websites, or also enters information into them, for example when registering or when placing orders, and another undertaking, such as Facebook Ireland, uses interfaces integrated into those websites and apps, such as ‘Facebook Business Tools’, or cookies or similar storage technologies placed on the internet user’s computer or mobile device, to collect data about those visits to the websites and apps and the information entered by the user, and links those data with the data from the user’s Facebook.com account and uses them, does this collection and/or linking and/or use involve the processing of sensitive data for the purpose of that provision?
b) If so: Does visiting those websites or apps and/or entering information and/or clicking or tapping on the buttons integrated into them by a provider such as Facebook Ireland (social plugins such as ‘Like’, ‘Share’ or ‘Facebook Login’ or ‘Account Kit’) constitute manifestly making the data about the visits themselves and/or the information entered by the user public within the meaning of Article 9(2)(e) of the GDPR?

3. Can an undertaking, such as Facebook Ireland, which operates a digital social network funded by advertising and offers personalised content and advertising, network security, product improvement and continuous, seamless use of all of its group products in its terms of service, justify collecting data for these purposes from other group services and third-party websites and apps via integrated interfaces such as Facebook Business Tools, or via cookies or similar storage technologies placed on the internet user’s computer or mobile device, linking those data with the user’s Facebook.com account and using them, on the ground of necessity for the performance of the contract under Article 6(1)(b) of the GDPR or on the ground of the pursuit of legitimate interests under Article 6(1)(f) of the GDPR?

4. In those circumstances, can
– the fact of users being underage, vis-à-vis the personalisation of content and advertising, product improvement, network security and non-marketing communications with the user;
– the provision of measurements, analytics and other business services to enable advertisers, developers and other partners to evaluate and improve their services;
– the provision of marketing communications to the user to enable the undertaking to improve its products and engage in direct marketing;
– research and innovation for social good, to further the state of the art or the academic understanding of important social issues and to affect society and the world in a positive way;
– the sharing of information with law enforcement agencies and responding to legal requests in order to prevent, detect and prosecute criminal offences, unlawful use, breaches of the terms of service and policies and other harmful behaviour;
also constitute legitimate interests within the meaning of Article 6(1)(f) of the GDPR if, for those purposes, the undertaking links data from other group services and from third-party websites and apps with the user’s Facebook.com account via integrated interfaces such as Facebook Business Tools or via cookies or similar storage technologies placed on the internet user’s computer or mobile device and uses those data?

5. In those circumstances, can collecting data from other group services and from third-party websites and apps via integrated interfaces such as Facebook Business Tools, or via cookies or similar storage technologies placed on the internet user’s computer or mobile device, linking those data with the user’s Facebook.com account and using them, or using data already collected and linked by other lawful means, also be justified under Article 6(1)(c), (d) and (e) of the GDPR in individual cases, for example to respond to a legitimate request for certain data (point (c)), to combat harmful behaviour and promote security (point (d)), to research for social good and to promote safety, integrity and security (point (e))?

6. Can consent within the meaning of Article 6(1)(a) and Article 9(2)(a) of the GDPR be given effectively and, in accordance with Article 4(11) of the GDPR in particular, freely, to a dominant undertaking such as Facebook Ireland?

If the answer to Question 1 is no:
7.
a) Can the national competition authority of a Member State, such as the Federal Cartel Office, which is not a supervisory authority within the meaning of Article 51 et seq. of the GDPR and which examines a breach by a dominant undertaking of the competition-law prohibition on abuse that is not a breach of the GDPR by that undertaking’s data processing terms and their implementation, determine, when assessing the balance of interests, whether those data processing terms and their implementation comply with the GDPR?
b) If so: In the light of Article 4(3) TEU, does that also apply if the competent lead supervisory authority in accordance with Article 56(1) of the GDPR is investigating the undertaking’s data processing terms at the same time?

If the answer to Question 7 is yes, Questions 3 to 5 must be answered in relation to data from the use of the group’s Instagram service.


Case details on the CJEU website (external link)


Disclaimer