Ireland: AdTech Update: CJEU Landmark Data Protection Ruling For Online And Behavioural Advertising

What legal basis can online platforms use for processing personal data for targeted advertising? We now have an answer.

Following many fines and decisions from data protection supervisory authorities relating to the issue, the CJEU has issued a landmark decision in Meta vs Bundeskartellamt Case C-252/21 (Decision). The Decision significantly impacts the AdTech industry, especially the personalised use of consumers' personal data for targeted advertising by social media platforms, but also generally regarding the interplay of GDPR and Competition law.

This note explores the history leading to this decision and what this means for the future of personalised advertising by online platforms.

Background to the Decision

This development follows several decisions on the appropriate legal basis for processing data in the context of online and behavioural advertising. Under Article 6 of the General Data Protection Regulation (GDPR), organisations that process personal data must have a legal basis to do so. In recent years, data protection supervisory authorities have fined online platforms for failing to choose the correct legal basis for such purposes:

• Whatsapp was fined €5m by the Irish Data Protection Commission (DPC) in January 2023. The messaging app previously relied on "contractual necessity" (Art 6(1)(b) of the GDPR) as a legal basis before the DPC determined that this was insufficient and ordered it to change from that legal basis. In July 2023, Whatsapp changed its legal basis to "legitimate interest".
• Meta and Instagram were fined €210m and €180m, respectively, by the DPC in January of 2023 on the basis that the platforms inappropriately relied on "contractual necessity" as a legal basis for processing personal data for behavioural advertising as this was not a core element of the services. The DPC gave the company three months to bring its data processing operations into compliance. In April, Meta changed the legal basis to that of "legitimate interest" (Art 6(1)(f) of the GDPR). However, since then and following the Court of Justice of the European Union (CJEU) decision below, it has changed the legal basis for such processing from "legitimate interest" to "consent" (Art 6(1)(a) of the GDPR).

CJEU's Analysis on Appropriate Legal Basis for Online & Behavioural Advertising

One of the key takeaways from the Decision is the helpful analysis the CJEU provided on the threshold required for using the appropriate legal bases available under Article 6 GDPR for personalised content and advertisement. Specifically, the question referred to the CJEU was:

Can Meta, justify collecting data from other group services (i.e., Instagram), third party websites and apps via integrated services, cookies or other similar storage technology, link that data to the user's account, and use that data for personalised advertising on the basis of contract or legitimate interest under Article 6 of the GDPR? The CJEU was further asked whether specific interests as listed below could constitute a legitimate interest under the GDPR.

1. Necessary For The Performance Of A Contract

To rely on "contractual necessity" as a legal basis, the CJEU helpfully clarified that "the decisive factor for the purposes of applying the justification of contractual necessity is that the processing of the personal data by the controller must be essential for the proper performance of the contract concluded between the controller and the data subject". In essence the processing must be "objectively indispensable for a purpose that is integral to the contractual obligations intended for the data subject." This means that the controller must be able to show that the processing is essential for the performance of the contract, i.e., there are no workable, less intrusive alternatives and that the contract cannot be achieved if the processing does not occur. In this case, the CJEU believed that processing personal data for behavioural advertising was not integral to the contract and was merely ancillary.

In response to the justifications put forward by Meta in relying on contractual necessity for the processing, the CJEU set out the following:

• Personalised content: Personalised advertising is not necessary to offer the user social network services (e.g., having a profile and interacting and engaging on the platforms). The CJEU believed that those services could be offered as an equivalent alternative that did not provide personalisation to the end user (e.g., use of the platform excluding personalised advertising).
• Consistent and seamless use of the Meta Group's services: There is no obligation to subscribe to the services offered by the Meta Group to create an account on Facebook. The services provided by Meta can be used independently of each other, so the processing was not necessary for this purpose.

2. Legitimate Interest

To rely on "legitimate interest" as a legal basis, the CJEU helpfully clarified that, when conducting a balancing test to assess whether the data subject's interests override the legitimate interest, the controller must take the reasonable expectations of the data subject as well as the scale of the processing at issue, into account and its impact on data subjects.

In response to the following justifications put forward by Meta in relying on legitimate interest for the processing, the CJEU set out the following:

• Personalised Advertising: Even though the services of an online social network such as Facebook are free of charge, the user of that network cannot reasonably expect that the social network operator will process that user's personal data without their consent for personalised advertising. In such circumstances, the rights of the user override the rights and interests of the operator, i.e., that this activity finances its operations.
• Network Security: The German court will have to ascertain whether and to what extent the processing of personal data collected from sources outside the Facebook social network is necessary to ensure that the internal security of that network is not compromised.
• Product Improvement: The controller's interest in improving its product or service could constitute a legitimate interest capable of justifying the processing, subject to a final assessment as to whether this would override the interests and fundamental rights of the user.
• Sharing of Information with Law Enforcement Agencies: This cannot constitute a legitimate interest within the meaning of GDPR.
• Research and Innovation: The CJEU could not comment on this justification.

The CJEU acknowledged that personalised advertising may qualify as a legitimate interest. However, it held that the users' interests, rights, and freedoms prevail in the context of the processing at issue. The CJEU noted that although online services such as Facebook are provided free of charge, users would not reasonably expect that such extensive processing activity for the purpose of personalized advertisement was being conducted without their consent. Therefore, it is unlikely that legitimate interest could be used as a lawful basis for personalised advertising.

Can consent, as defined under GDPR, be freely given to a dominant undertaking? (i.e., such as Meta Platforms Ireland)?

• Consent: Concerning consent, the CJEU noted in the GDPR that "consent is not freely given where the data subject has no free or genuine choice or is unable to refuse or withdraw it without detriment". Therefore, users must be able to refuse consent to particular data processing operations which are not necessary for the performance of the contract (such as personalized advertising) without giving up the opportunity to use the service offered by the online operator. According to the CJEU, users not wishing to provide consent to processing operations that are not necessary for the performance of the contract could be charged a fee. It was also noted that the dominant market position of the online operator does not, per se, preclude users from being able to give valid consent to the processing of their data. However, it is an important factor to consider when determining whether consent was freely and validly given.

Competition Authority Can Investigate GDPR Breaches

The CJEU also addressed whether a National Competition Authority (NCA) can consider an alleged breach of the GDPR. It held that an NCA can find, in the context of the examination of abuse of a dominant position under Article 102 TFEU, that the undertaking's general terms of use relating to the processing of personal data and implementation thereof are not consistent with the GDPR (where such a finding is necessary to establish the existence of such an abuse).

Key Learnings

Online platforms with business models based on personalised content and advertisement should heed the Decision and review their data processing operations. There are several key takeaways:

• The fact that the processing of personal data for personalised content and advertisement is referred to in a contract or is useful to the performance of the contract may be irrelevant.
• Personalised content might not be necessary to offer a user online social network services.
• A "product improvement objective" might have the ability to come under the legitimate interest legal basis, but only where it does not override the interests and fundamental rights of the user.
• Consent must be valid and freely given to use as basis for processing.
• A dominant market position of the online operator does not, per se, preclude users from being able to give valid consent. However, it is an important factor to consider when determining whether consent was validly given.

Contributed by Róisín Culligan and Sophie Jones

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.