Meta facing challenges to its data policies on multiple fronts

The Competition Appeal Tribunal (the CAT) recently certified the collective proceedings application made by Liza Lovdahl Gormsen (the PCR) against Meta for alleged competition law breaches arising out of the collection of Facebook users’ data. The CAT subsequently refused to grant permission to appeal and so Meta has announced that it will now request permission to appeal directly from the Court of Appeal. In the midst of these developments, the European Commission (the Commission) has also opened a series of non-compliance investigations under the Digital Markets Act (DMA) and has targeted Meta in one of those investigations.

What happened before certification?

As we reported in our blog post, in early 2023 the CAT refused to certify the collective proceedings application originally filed by the PCR in 2022 and, instead, asked her to do a “root-and-branch re-evaluation” of her methodology. The CAT has now certified the collective proceedings on the terms of the PCR's revised application. 

What is the claim about?

The PCR’s claim is a novel one (at least from a UK perspective – it seeks to build upon the German Federal Cartel Office’s findings of abuse of dominance against Facebook in 2019). In short, the allegation is that Facebook’s terms regarding the collection of user data amount to an abuse of a dominant position in breach of Article 102 TFEU and/or Section 18 of the Competition Act 1998.

Having somewhat narrowed the scope of its allegations in its revised application, the PCR’s claim centres on users being required, as a condition of their use of the platform, to permit Facebook to collect data on their activity on third-party websites and non-Facebook Meta products and services (e.g. Instagram). This data (so-called Off-Facebook Data) is combined with the data Facebook collects on-platform (On-Facebook Data), so that it may (lucratively) be monetised by Meta’s advertising business, without a corresponding value transfer to the Facebook users. 

The PCR alleges that this practice amounts to two abuses.

• First, the PCR claims that it constitutes an unfair trading condition, as Facebook would be commercially viable without the collection and exploitation of Off-Facebook Data, and Facebook users are denied a choice as to whether to share that data and/or the opportunity to bargain over its use. This denial stems from Facebook’s position of dominance, without which there might be competition between rival providers as to the amount of data each user has to share. 
• Additionally or in the alternative, the PCR alleges that Meta’s collection of Off-Facebook Data without paying users for it constitutes the imposition by Meta of an unfair price. In this regard the PCR points to Meta having incrementally increased the amount of data it requires from Facebook users, shifting from (i) a price based solely on extracting On-Facebook Data, to (ii) a price based on extracting both Off- and On-Facebook Data. 

On causation, loss and damage, the PCR alleges that Meta has failed to compensate users adequately for the economic value of their off-Facebook data. Absent the alleged abuse of dominance, the PCR claims that users would have benefitted from a fair bargain in relation to the collection of their Off-Facebook Data; the value that would have accrued to them in that bargain represents the loss users have suffered as a result of Facebook’s allegedly abusive conduct. 

What did the CAT say?

Despite noting that the abuses were not articulated as clearly as they could (or ought to) be, the CAT held that both of the alleged abuses pleaded in the PCR’s revised application were arguable and triable. The CAT therefore ruled that the PCR’s claim should be certified to proceed as a collective action. However, the CAT made clear that its decision should not be read as suggesting the PCR’s plea of abuse was anything more than arguable and triable. 

The CAT noted that there were issues that were “unquestionably complex” and would need to be resolved at trial, highlighting certain challenges the PCR will need to overcome, namely whether:

• the distinction between On- and Off-Facebook Data is more fluid, and less clear-cut, than the PCR’s case would suggest;
• Facebook’s viability depends on the monetisation of Off-Facebook Data; and 
• if users were given the option to charge a price for their Off-Platform Data, this would fundamentally undermine Meta’s business model. 

However, in the CAT’s view these potentially significant challenges did not go to the question of whether the claim should be certified and so did not need to be resolved at this stage. 

On causation, loss and damage, the CAT categorised the loss pleaded as a conventional form of “negotiating damages” and therefore arguable, despite acknowledging that Meta’s use of the data has not caused it to be lost in a physical sense. Such damages are available where a person wrongfully uses another’s property (in this case, the data), and thereby prevents them from being able to obtain the economic value of their property.

What does this mean?

This case forms part of a growing trend for the use of standalone class actions, alleging abuse of dominance, to address conduct that might principally appear to concern other areas of legal compliance, whether consumer rights, data privacy, or even environmental protection. 

Whilst the merits of this trend are open to debate, in allowing the PCR to restate its case and thereby overcome the certification hurdle, the CAT appears to be seeking to impose certain checks and balances at the certification stage without unduly restricting claimants’ access to collective redress. 

Nevertheless, given the difficulties in the case highlighted in the CAT’s ruling and Meta’s pending request for permission to appeal, it remains to be seen whether the PCR’s allegations can ultimately be proved at trial. 

It will be interesting to see how public and private enforcement efforts in this context evolve over time. As noted above, the Commission has also just opened an investigation against Meta for its recently introduced “pay and consent” model, with a stated intention to conclude the proceedings within 12 months. Like the collective proceedings before the CAT, the Commission’s investigation covers the issue of consent for collection of user data across different core platform services, albeit from a different angle. In this context, the Commission’s concern is that the binary choice imposed by Meta may not provide a real alternative in case users do not consent, thereby not achieving the objective of preventing the accumulation of personal data by gatekeepers under the DMA.

The speed at which arguably similar public and private enforcement proceedings progress and interact – both across and within jurisdictions – together with the potential for divergence in substantive outcomes, will no doubt be risks that many firms are acutely mindful of, and will increasingly monitor and factor into their strategic considerations.