ECJ decis­i­on in anti­trust case against Meta

One is invol­ved, all are affected!

The press calls it a “defeat for Face­book”. In its judgment of 4 July 2023 (case C‑252/21 ), the ECJ ruled that natio­nal com­pe­ti­ti­on aut­ho­ri­ties are allo­wed to estab­lish and sanc­tion brea­ches of data pro­tec­tion law. But the decis­i­on goes far bey­ond anti­trust law: The ruling has a signi­fi­cant impact on data pro­tec­tion law and affects com­pa­nies far bey­ond Meta. Find out in this artic­le whe­ther your com­pa­ny is affec­ted and what steps are now necessary.

Entre­pre­neu­ri­al free­dom in the cross­hairs of the ECJ

The ECJ decis­i­on lacks the neces­sa­ry balan­cing of the fun­da­men­tal right to data pro­tec­tion and the free­dom to con­duct a busi­ness, which is also pro­tec­ted by the EU Char­ter of Fun­da­men­tal Rights. Ins­tead, the ECJ adopts a very rest­ric­ti­ve inter­pre­ta­ti­on which, when appli­ed strin­gent­ly, makes the com­mer­cial use of per­so­nal data almost impos­si­ble. Com­pa­nies are forced by the decis­i­on to ali­gn the con­tent of their offers more clo­se­ly with data pro­tec­tion regu­la­ti­ons and to obser­ve the fol­lo­wing requirements:

  1. Accor­ding to the ECJ, pro­ces­sing for the per­for­mance of a con­tract (Art. 6 (1) (b) GDPR) is only per­mis­si­ble if the pro­ces­sing is objec­tively indis­pensable to ful­fil the main pur­po­se of the con­tract per­for­mance. In all other cases, even a clear con­trac­tu­al agree­ment can­not legi­ti­mi­se the pro­ces­sing. If the ruling is appli­ed strin­gent­ly, this means that con­tract per­for­mance is no lon­ger a legal basis for many inno­va­ti­ve busi­ness models.
  2. The ECJ also shows a clear ten­den­cy with regard to the legi­ti­ma­te inte­rest in data pro­ces­sing (Artic­le 6 (1) (f) GDPR). Alt­hough the ECJ does not com­ple­te­ly rule out the exis­tence of a legi­ti­ma­te inte­rest in the com­mer­cial use of per­so­nal data, this shall only be dee­med given if the user could reason­ab­ly expect the spe­ci­fic scope of the data pro­ces­sing. The same stan­dards shall app­ly with respect to the legi­ti­ma­te inte­rest in ensu­ring net­work secu­ri­ty or in car­ry­ing out pro­duct impro­ve­ments. The inte­rest of the data sub­ject is to be taken into account to a much grea­ter ext­ent than before.
  3. The ECJ also does not cate­go­ri­cal­ly exclude the pos­si­bi­li­ty of giving con­sent (Art. 6 (1) (a) GDPR) to the com­mer­cial use of per­so­nal data, but requi­res that data sub­jects must be able to refu­se indi­vi­du­al pro­ces­sing ope­ra­ti­ons and that they be offe­red an equi­va­lent alter­na­ti­ve (also in terms of cos­ts). The exis­ting high requi­re­ments for con­sent, which in many cases can hard­ly be imple­men­ted in a reasonable man­ner in prac­ti­ce, are thus fur­ther tightened.

Par­ti­cu­lar­ly sen­si­ti­ve data are all around us now

The ECJ decis­i­on also has signi­fi­cant impli­ca­ti­ons for the pro­ces­sing of par­ti­cu­lar­ly sen­si­ti­ve data (Art. 9 GDPR). Accor­ding to the ECJ, even cal­ling up a web­site or app with refe­rence to the data cate­go­ries lis­ted in Art. 9 GDPR should be sub­ject to a par­ti­cu­lar­ly high level of pro­tec­tion. When strin­gent­ly app­ly­ing the ECJ decis­i­on, signi­fi­cant­ly more per­so­nal data are likely to be clas­si­fied as par­ti­cu­lar­ly sen­si­ti­ve in the future. Pro­ces­sing of the­se data is then only per­mis­si­ble under the addi­tio­nal con­di­ti­ons of Art. 9 GDPR. The ECJ sets fur­ther hurd­les for the pro­ces­sing of par­ti­cu­lar­ly sen­si­ti­ve data which the data sub­ject has mani­fest­ly made public (Art. 9 (2) (e) GDPR). The pro­ces­sing of such data is only per­mis­si­ble inso­far as the data sub­ject, being ful­ly awa­re of the facts, has cle­ar­ly expres­sed his or her decis­i­on to publish the data on the basis of indi­vi­du­al pre­fe­ren­ces. The­r­e­fo­re, accor­ding to the ECJ, a clear inten­ti­on to publish the data can­not be infer­red from mere­ly cal­ling up a web­site with par­ti­cu­lar­ly sen­si­ti­ve data, such as an online phar­ma­cy. The ECJ fur­ther sta­tes that a data set con­tai­ning both par­ti­cu­lar­ly sen­si­ti­ve and “ordi­na­ry” per­so­nal data falls under Art. 9 GDPR as a who­le. If it is not pos­si­ble to sepa­ra­te the data, the requi­re­ments of Art. 9 GDPR must be met for the enti­re data set. A sin­gle pie­ce of sen­si­ti­ve infor­ma­ti­on can the­r­e­fo­re infect the enti­re data set. It remains unclear how such an exten­si­ve inter­pre­ta­ti­on of Art. 9 GDPR would be in line with ano­ther objec­ti­ve of the GDPR, which is also to pro­mo­te the free move­ment of per­so­nal data (Art. 1 (1) GDPR).


Gloa­ting or spi­te are out of place in view of the Meta decis­i­on, becau­se the ECJ gene­ral­ly places such high demands on the requi­re­ments of the rele­vant legal bases that, when appli­ed strin­gent­ly, they can hard­ly be ful­fil­led not only by Meta, but also by other com­pa­nies. The decis­i­on the­r­e­fo­re has far-reaching signi­fi­can­ce for all com­pa­nies that pro­cess per­so­nal data and must be taken into account appro­pria­te­ly. At the same time, the decis­i­on under­lines how important new legis­la­ti­ve pro­jects such as the Data Act or the Euro­pean Health Data Space are for the inno­va­ti­ve use of per­so­nal data.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.