Facebook and personal data: the Court of Justice limits Meta’s processing activities

With decision of July 4th 2023 (case C-252/21), the EU Court of Justice limited significantly the processing activities carried out by the companies of the Meta Group on personal data. The measure concerns mainly the so-called off-Facebook data, that is data relating to activities that Facebook users do outside the social network.

The issue

Facebook economic model is essentially based on funding through online advertisements which are tailor-made for each user depending on consumption behavior, interests, purchasing power and personal status.

The technical requirement of this type of advertisement is the automated creation of detailed profiles of users using the services offered by the entire Meta Group. For this purpose, alongside data provided directly by the users when signing up, additional data related to users and their devices is collected, in connection to actions carried out both inside and outside the service provided by Meta.

For what relates to off-Facebook data, it is both data regarding the use of other Meta Group services (such as Instagram or WhatsApp) but also data relating to consultation of third-party websites or apps that are linked to Facebook through programming interfaces. Such data is then associated with individual accounts and the general overview that emerges allows to draw detailed conclusions on users’ preferences and interests.

To process this amount of data, Meta relies on the general terms and conditions that Facebook users accept by pushing the “sign-in” button, thus accepting the conditions established by Meta. In force of these conditions, Meta declares to collect data referring to users and their devices, to their activities inside and outside the social network, and to connect them to Facebook accounts of the interested users.

In 2019, the German competition authority examined the system just outlined and prohibited Meta Group from subordinating, in the general conditions, the use of Facebook to the processing of users’ off-Facebook data. In this way, it prevented the continuous processing of such data, without the users’ consent, on the basis of the general conditions applied.

The German authority motivated its decision stating that by processing users’ data Meta was exploiting its dominant position on the market of social network without authorization. It also declared the illicit nature of such conditions as not compliant to GDPR. This because, by the way, the processing of off-Facebook data consists in collecting also particular data (former sensitive data) of Facebook users, when they visit websites or apps different from Meta’s and able to reveal data pertaining to this special category of data (like dating apps, homosexual ones as well, websites of political parties or relating to health).

The decision of the Court of Justice of the European Union

The Court, after clarifying that even a competition authority can examine the compliance of the behavior of a company to the GDPR, stated that the operations carried out by the Meta Group, with particular reference to the so-called sensitive off-Facebook data, are a processing of particular categories of personal data” pursuant to art. 9 of GDPR and, as such, are prohibited, regardless of the fact that such information concerns a Facebook user or another natural person.

The Court disagreed also with the defensive argument of the Group, according to which some action spontaneously carried out by users, such as clicking on “like” and “share” buttons, would be the same as making that particular data manifestly public, thus causing the prohibition in art. 9 GDPR to be lifted.

On this regard the Court pointed out that the exceptions provided for in art. 9 GDPR must be strictly interpreted. Therefore, by visiting websites or apps correlated to one or more categories cited in art. 9, the user of a social network does not make the data relating to such visits manifestly public. Moreover, when a user enters their own data in such websites or apps, as well as activates the “like” and “share” buttons or those that allow them to identify on a website or app using the login credentials connected to a Facebook account, data thus entered or resulting from the activation of such buttons could be considered as manifestly made public only if the users – preliminarily and with full knowledge of the facts – had explicitly expressed the choice to make their data publicly accessible to an unlimited number of persons.


Ilaria Feriti