Meta may be restricted based on GDPR updates

meta facebook

German competition authority gets vindication from EU ECJ: Meta may be restricted based on GDPR updates

The German competition authority, the Bundeskartellamt, has again been vindicated by the European Court of Justice in case C-252/21 v. Meta.

Meta did not like the fact that the Federal Cartel Office was actively looking into privacy laws and decided to restrict the platform Facebook. Meta believed that this is not the job of the supervisor

The EU ECJ holds that the German competition authority may order Meta under the GDPR to restrict data collection via Facebook and other platforms.


Meta Platforms Ireland is the company that runs the Facebook social network. By registering with Facebook, the user agrees to the company’s terms of use, i.e. privacy and cookie policies. In accordance with this policy, Meta Platforms Ireland collects data about your activities within and outside the social network and links it to your Facebook account.

Data about your activities outside social networks, also known as “Off Facebook data,” relates to your visits to third-party websites and apps and your use of other Meta Group online services (such as Instagram and WhatsApp).

The data collected in this way make it possible, among other things, to provide personalized advertising messages to Facebook users.

German competition authority bans Facebook’s processing of off-Facebook data without consent, for violation of GDPR

The German competition authority in particular, issued a prohibition against providing in general terms and conditions that een individual living in Germany only use can make the social network Facebook provided its off-Facebook data are processed, and to process this data without their consent. The authority has the ban justified on the grounds that such processing whole is not consistent with the provisions of the GDPR, and that Meta Platforms Ireland thereby clearly is abusing its dominant position in the German market for online social networking.

German court submits GDPR questions to European Court of Justice in Facebook case

`The Oberlandesgericht Düsseldorf, in which an appeal wwas lodged against het ban, the EU-HvJ or h
et to the

national competition authorities

falls to


keys or eand certain gedata processing is consistent with the requirements of the GDPR. In addition, scounts it Oberlandesgericht to the Court ook dhe question of how certain regulations of the GDPR must be explained and hoe these should be applied to de processing of data by an operator of an online social network.

meta facebook

Decision of the EUHvJ

The EUECJ is of the opinion that the German competition authority, under the GDPR, measures can take action against Meta when it comes to data collection. National Authorities may thus officially impose requirements that could possibly affect Meta’s revenue model and its subsidiaries may undermine. The Court states That competition authorities In examining whether a firm is abusing its dominant position, it is necessary can be to also consider whether that company’s conduct is consistent with standards other than those of competition law, such as the rules of the GDPR.

Role of national competition authority in GDPR enforcement in abuse of power case

A NCA finding that the GDPR was violated, however, should never replace the supervisory authorities established by this regulation. However, when the competition authority assesses compliance with the GDPR, it does so only to determine whether there is an abuse of a dominant position and to impose measures to end such abuse in accordance with the rules of competition law.

In particular, when the NCA considers it necessary to examine whether a company’s conduct complies with the GDPR, it should check whether the competent supervisory data protection authority has already taken a decision on the conduct in question or similar conduct. If so, that national competition authority may not depart from it, but may draw its own conclusions from it for the application of competition law.

Court clarifies that visiting websites does not constitute implied disclosure of data under GDPR

On the question of whether the processing of sensitive data is exceptionally permissible because the data on facebook manifestly disclosed by the data subject, the Court clarifies that the mere fact that a user visits websites or apps that may reveal such information does not in any way mean that he manifestly discloses his data within the meaning of the GDPR. Nor is this the case when a user enters data on such sites or apps or therein integrated selection buttons, unless he has expressly stated beforehand his choice to disclose the data concerning him to an unlimited number of persons.

Court rules that personalization and funding of ads by Meta Platforms Ireland may violate GDPR

Whether the personalization of content or the consistent and trouble-free use of Meta Group services meets these conditions remains to be examined by the national courts, ruled The Court. In addition, Meta Platforms Ireland strives, according to the Court did not pursue a legitimate interest in funding personalized advertising for the online social network Facebook, which would allow the processing of relevant data without the data subject’s consent.

As a final point, the Court notes the Court notes that the fact that online social network operators, as data controllers, have a clearly dominant position in the online social network market does not prevent their users from using them legally pursuant to the GDPR.

However, since such dominance may affect these users’ freedom of choice and lead to a clear imbalance between them and the data controller, it is an important factor in determining whether consent is actually complete legally valid and voluntarily given.


With this ruling, the court clearly wants to prevent companies like Meta from exchanging user data between individual platforms such as Facebook, Instagram and WhatsApp. For more info around social media platforms and the GDPR, you can contact an accredited DPO.


Meer berichten

de toekomst van GDPR

The Future of Data Protection

Introduction: Since its implementation in 2018, the General Data Protection Regulation (GDPR) has had a significant impact on how organizations worldwide collect,

Meer info: