Protection of natural persons with regard to the processing of personal data

In a request for a preliminary ruling requested by the Higher Regional Court, Germany to the European Court of Justice, Meta Platforms Ireland – an operator of an online social media network operating within the European Union, requested a preliminary ruling concerning the decision by which the Federal Cartel, Germany prohibited the applicant from processing certain personal data as provided for in the general terms of use of the social media platform, Facebook.

The referring Court asked, in essence, whether the relevant provisions emanating from GDPR must be interpreted as meaning that a competition authority of a Member State can find, in the context of the examination of an abuse of a dominant position by an undertaking, that the undertaking’s general terms of use relating to the processing of personal data are not consistent with GDPR.

The Court analysed the question raised by the applicant in its request for a preliminary ruling, that being whether the provision of the GDPR must be interpreted as meaning that, where the user of an online social network visits websites or apps to which one or more of the categories referred to in that provision relates, must be regarded as ‘processing of special categories of personal data’ within the meaning of the GDPR, which is in principle prohibited.

The principle laid out in the GDPR is that the processing of special categories of personal data listed therein is prohibited, this includes data revealing racial or ethnic origin, political opinions, religious beliefs, and data concerning health or a natural person’s sex life or sexual orientation. The objective and interpretation of the GDPR is therefore to prohibit such processing of data, irrespective of its stated purpose.

This fundamental prohibition does not apply in the circumstances where the processing relates to personal data which are manifestly made public by the data subject. One needs to therefore analyse whether the data subject had intended, explicitly and by a clear affirmative action, to make the personal data in question accessible to the general public.

The Court states that with regards to visits to websites or apps which one or more categories relate, the user concerned does not in any way intend to make public the fact that he or she has visited those sites or apps and the data from those visits which can be linked to his or her person. The latter can, at most, expect the operator of the site or app to have access to those data and to share them subject to that user’s explicit consent.

Thus, it cannot be inferred from the mere visit to such websites or apps by a user that the personal data in question were manifestly made public by that user. In any case it is the controller who bears the burden of proving that those data are collected for specified, explicit and legitimate purposes and that they are processed lawfully, fairly and in a transparent manner in relation to that data subject. Additionally, the processing of personal data shall be considered lawful only if it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering a contract.The controller must therefore be able to demonstrate how the main subject matter of the contract cannot be achieved if the processing in question does not occur.

The Court also emphasised that applicable GDPR provisions lay down that three cumulative conditions are to be satisfied so that the processing of personal data is lawful – namely the pursuit of a legitimate interest by the data controller or by a third party, the need to process personal data for the purposes of the legitimate interests pursued, and that the interest or fundamental freedoms and rights of the person concerned by the data protection do not take precedence over the legitimate interest of the controller or of a third party.

The Court noted that the processing of personal data by the operator of an online social network, which entails the collection of data of the users of such a network and the linking of that data with the social network account of those users and the use of those data, can be regarded as necessary for the performance of a contract to which the data subjects are party. This, only on condition that the processing is objectively indispensable for a purpose that is integral to the contractual obligation intended for those users – such that the main subject matter of the contract cannot be achieved if that processing does not occur.

The Court noted, and concluded, that the interpretation of GDPR is such that in view of the nature of the services provided by the operator of the online social network, such an operator whose activity is essentially economic and commercial in nature, cannot rely on the protection of an interest which is essential for the life of its users, or of another person, in order to justify, absolutely and in a purely abstract and preventive manner, the lawfulness of data processing such as that at issue in these proceedings.

This article was first published on The Malta Independent on 19/07/2023.