One is involved, all are affected!
The press calls it a “defeat for Facebook”. In its judgment of 4 July 2023 (case C‑252/21 ), the ECJ ruled that national competition authorities are allowed to establish and sanction breaches of data protection law. But the decision goes far beyond antitrust law: The ruling has a significant impact on data protection law and affects companies far beyond Meta. Find out in this article whether your company is affected and what steps are now necessary.
Entrepreneurial freedom in the crosshairs of the ECJ
The ECJ decision lacks the necessary balancing of the fundamental right to data protection and the freedom to conduct a business, which is also protected by the EU Charter of Fundamental Rights. Instead, the ECJ adopts a very restrictive interpretation which, when applied stringently, makes the commercial use of personal data almost impossible. Companies are forced by the decision to align the content of their offers more closely with data protection regulations and to observe the following requirements:
- According to the ECJ, processing for the performance of a contract (Art. 6 (1) (b) GDPR) is only permissible if the processing is objectively indispensable to fulfil the main purpose of the contract performance. In all other cases, even a clear contractual agreement cannot legitimise the processing. If the ruling is applied stringently, this means that contract performance is no longer a legal basis for many innovative business models.
- The ECJ also shows a clear tendency with regard to the legitimate interest in data processing (Article 6 (1) (f) GDPR). Although the ECJ does not completely rule out the existence of a legitimate interest in the commercial use of personal data, this shall only be deemed given if the user could reasonably expect the specific scope of the data processing. The same standards shall apply with respect to the legitimate interest in ensuring network security or in carrying out product improvements. The interest of the data subject is to be taken into account to a much greater extent than before.
- The ECJ also does not categorically exclude the possibility of giving consent (Art. 6 (1) (a) GDPR) to the commercial use of personal data, but requires that data subjects must be able to refuse individual processing operations and that they be offered an equivalent alternative (also in terms of costs). The existing high requirements for consent, which in many cases can hardly be implemented in a reasonable manner in practice, are thus further tightened.
Particularly sensitive data are all around us now
The ECJ decision also has significant implications for the processing of particularly sensitive data (Art. 9 GDPR). According to the ECJ, even calling up a website or app with reference to the data categories listed in Art. 9 GDPR should be subject to a particularly high level of protection. When stringently applying the ECJ decision, significantly more personal data are likely to be classified as particularly sensitive in the future. Processing of these data is then only permissible under the additional conditions of Art. 9 GDPR. The ECJ sets further hurdles for the processing of particularly sensitive data which the data subject has manifestly made public (Art. 9 (2) (e) GDPR). The processing of such data is only permissible insofar as the data subject, being fully aware of the facts, has clearly expressed his or her decision to publish the data on the basis of individual preferences. Therefore, according to the ECJ, a clear intention to publish the data cannot be inferred from merely calling up a website with particularly sensitive data, such as an online pharmacy. The ECJ further states that a data set containing both particularly sensitive and “ordinary” personal data falls under Art. 9 GDPR as a whole. If it is not possible to separate the data, the requirements of Art. 9 GDPR must be met for the entire data set. A single piece of sensitive information can therefore infect the entire data set. It remains unclear how such an extensive interpretation of Art. 9 GDPR would be in line with another objective of the GDPR, which is also to promote the free movement of personal data (Art. 1 (1) GDPR).
Gloating or spite are out of place in view of the Meta decision, because the ECJ generally places such high demands on the requirements of the relevant legal bases that, when applied stringently, they can hardly be fulfilled not only by Meta, but also by other companies. The decision therefore has far-reaching significance for all companies that process personal data and must be taken into account appropriately. At the same time, the decision underlines how important new legislative projects such as the Data Act or the European Health Data Space are for the innovative use of personal data.back