AMI vs META: When Non-Compliance with the GDPR Creates an Illegal Competitive Advantage

Introduction

Platforms such as Meta Platforms Ireland Limited (hereinafter, "META"), YouTube and Alphabet Inc. have developed commercial strategies whose value depends directly on the creation of personal profiles and personalised advertising, concepts that have been subject to strict legal regulation since the entry into force of Regulation (EU) 2016/6791(hereinafter, "GDPR").

The recent ruling2by Madrid Commercial Court No. 15 (hereinafter, "Commercial Court") on 19 November 2025, relating to a lawsuit filed by a Spanish Media Association, Asociación de Medios de Información (hereinafter, "AMI") representing eighty-six media companies against META, marks a significant turning point: it not only penalises non-compliance with the GDPR for using incorrect legal bases for data processing, but also holds that this non-compliance constitutes an unfair commercial practice prohibited by Article 15.1 of Law 3/1991 on Unfair Competition3(hereinafter, “LCD”).

The ruling clarifies that compliance with data protection regulations is not only a legal obligation but also an essential element in ensuring fair competition between operators. When an economic operator processes data on a massive scale without a valid legal basis, not only are user rights violated, but the level playing field in the market is also altered, competitors are displaced, and the ability of digital media to access advertising revenue is eroded.

The Commercial Court analyses the systematic non-compliance with the GDPR from a new angle derived from the initial conclusions of the German Competition Authority: Does non-compliance with the GDPR in itself constitute unfair competition? The Commercial Court's answer is affirmative, provided that it generates a significant advantage based on unlawful processing that allows the exploitation of data that other competitors cannot legitimately process. In this context, personal data is configured as a strategic competitive advantage, the use of which is constrained by the GDPR.

Breach of the GDPR as a presumption of unlawfulness

The ruling structures its conclusions about non-compliance with the GDPR on four pillars - inadequate legal basis, lack of transparency, breach of the principle of minimization and lack of loyalty to the user - and goes so far as to state that the data processing carried out by META was unlawful throughout the relevant period (25/05/2018-01/08/2023).

Breach of Article 6.1.b) GDPR: necessity for the performance of a contract

META used the necessity for the performance of a contract as the legal basis from the entry into force of the GDPR (25/05/2018) until 05/04/2023, when it began using the legal basis under Article 6.1.f) of the GDPR.

In this regard, the Final Decisions4of the Irish Data Protection Commission (hereinafter, "IDPC"), issued following the Binding Decisions of the European Data Protection Board (hereinafter, "EDPB") of 31 December 20225(hereinafter, "Binding Decisions"), determined that the processing of personal data carried out by META since 25 May 2018 was unlawful, insofar as the processing of personal data for behavioural advertising purposes was not necessary for the performance of the contract6.

The Court of Justice of the European Union (hereinafter, "CJEU") in a judgment of 4 October 2024, Schrems7, confirmed that the extensive processing of personal data carried out by META to develop behavioural advertising, which includes tracking the data subject not only on Facebook pages but also on third-party websites using so called “pixels” and social plug-ins, cannot be justified by the objective of achieving specific or personalised advertising8.

Breach of Article 6.1.f) GDPR: legitimate interest

The legal basis of Article 6.1.f) GDPR was used by META from 05/04/2023 until it became aware of the CJEU ruling of 4 July 2023, Meta Platforms and others9, and it then began to use the consent of the data subject for one or more specific purposes (Article 6.1.a) GDPR).

In Meta Platforms and others, the CJEU considered the infringement of Article 102 of the Treaty on the Functioning of the European Union (hereinafter, "TFEU") based on a company's conduct in relation to the collection and processing of personal data it collects from its users. In summary, the CJEU stated that, regarding the potential conflict between freedom of enterprise – to design a business model based on personalised advertising – and the individual's right to data protection, the CJEU favours the latter: "in this regard, it should be noted that, despite the fact that the services of an online social network such as Facebook are free of charge, the user of that network should not reasonably expect that, without his or her consent, the operator of that social network will process that user's personal data for personalising advertising."10

Therefore, the legal basis of Article 6.1.f) GDPR is not only insufficient but also incompatible with the GDPR in the context of behavioural advertising.

Breach of Article 5.1.a) GDPR: principles of lawfulness, transparency and fairness

Article 5.1.a) GDPR establishes that all data processing must comply with the principles of lawfulness, fairness and transparency. This principle does not operate in isolation but is developed in Articles 12.1 and 13.1.c) GDPR. In this regard, Article 12.2 GDPR requires that the information provided to the data subject be concise, transparent, easily accessible and in clear language, and Article 13.1.c) GDPR requires that the legal basis for the processing be disclosed.

The CPDI's Final Decisions made it clear that META failed to comply with these standards by modifying the legal basis for processing from 25 May 2018 onwards without providing a clear explanation for this change. The CPDI states this clearly:

"Although there is no specific requirement in the GDPR to provide data subjects with information about a change in the legal basis... the lack of clarity on such a fundamental issue highlights the inherent lack of transparency in the information provided to the data subject."

Consequently, META's actions violated the principle of transparency in Article 5.1.a) in connection with Articles 12.1 and 13.1.c) of the GDPR, as it prevented the user from understanding the specific processing operations, the personal data processed in them, the purposes and the legal basis on which each of the processing operations is based. This lack of transparency necessarily leads to a lack of fairness. It implies that the services were provided in an "ambiguous" manner, eroding the informational trust necessary for lawful processing in accordance with the GDPR.

Breach of Article 5.1.c) GDPR: principle of minimization

The judgment, based on the Final Decisions of the Irish Data Protection Commission, highlights that META carried out a massive, generalised and undifferentiated collection of data, without distinguishing between those necessary for specific purposes and those that exceed them. This constitutes a direct violation of Article 5.1.c) GDPR, which requires processing to be limited to data that is "strictly necessary" for processing11. Furthermore, it warns that this collection included special categories of data under Article 9.1 GDPR - political opinions, religion, sexual orientation, health - without explicit consent in accordance with Article 9.2.a) GDPR.

This analysis is in line with the Schrems ruling12, where the CJEU stated that a platform such as META cannot use personal data for advertising purposes without time restrictions or distinction as to the type of data processed.

Competitive advantage: LCD

General approach

The plaintiff pointed out in its statement of claim that the competition law infringements attributed to META corresponded to the conduct defined in Articles 15.1 and 15.2 of the LCD. The judgment determines that the "significant competitive advantage" referred to in both sections is the same and has a common purpose: to suppress regulatory infringements that involve an illegal alteration of the starting point at which competitors initially find themselves, protecting the equality of competitors (par condicio concurrentim) against advantageous positions obtained through the infringement of laws.

Therefore, the difference between the two lies in the type of infringement: Article 15.1 refers to general legal infringements, while Article 15.2 requires an infringement of regulations aimed at regulating competitive activity, including rules governing competition (Articles 101 and 102 TFEU and Articles 1 and 2 of the Spanish Competition Act).

The ruling clarifies that, under Article 15.1 LCD, it is not sufficient to have infringed the rule. However, it is necessary to justify and prove the causal link between the competitive advantage and the infringement of rules, as, in principle, the competitive advantage is not a natural consequence of the simple infringement of regulations. However, under Article 15.2 of the LCD, it is presumed that the violation of competition rules confers a significant competitive advantage that the infringer can exploit, although it is relevant to assess the market circumstances in which the infringement occurred.

The judgment also denies that the GDPR is a general rule that cannot be considered a rule regulating competitive activity. It affirms, based on the CJEU judgment in Meta Platforms and others13, that data protection rules are not outside the scope of competition law and may, where necessary, be invoked to justify an abuse of a dominant position.

Following this approach, the judgment analyses the application of both sections to the specific case.

Infringement of Article 15.1 LCD

Regarding the infringement of Article 15.1 LCD, the judgment analyses the requirements for classifying META's conduct as unfair, finally upholding the action brought against said infringement.

In this regard, it recognises the aforementioned infringements of the GDPR but points out that these alone are insufficient to establish an infringement of Article 15.1 LCD. Unlike Article 15.2 LCD, this requires proof that a competitive advantage has been gained as a result of the breach. Therefore, the requirements of this first paragraph are: the infringement of rules, the obtaining of a significant competitive advantage and the causal link between the infringement and the advantage obtained.

Meta's business model is based on advertising revenue and relies on the massive and detailed processing of personal data. In this regard, the ruling identifies three decisive factors for providing this advertising: (i) having data from many millions of users; (ii) having a large amount of data on each user; and (iii) using appropriate technologies that allow for the creation of detailed and accurate user profiles. Thus, the ruling goes through each factor, the infringement committed, the advantage it confers, and how the infringement allows that advantage.

Firstly, a valid legal basis is required to obtain the user data necessary for personalised advertising. However, from 25 May 2018 to 1 August 2023, META's processing of personal data was unlawful because it lacked a valid legal basis. This situation allowed META to access and use data from millions of users on a legal basis that did not permit such use, thereby obtaining a competitive advantage that its competitors could never have matched, which is considered significant given the enormous volume of META's user database in Spain. The causal link is based on the fact that the infringement enabled this improper access and that the number of META users would have been reduced if an adequate legal basis had been applied.

Secondly, the judgment, based on the conclusion of the Irish Data Protection Commission, establishes a breach of the principle of minimization, which allowed META to collect an excessive amount of data from each user. The defendant grouped all data, including sensitive data that should have been treated as special categories of data and, in accordance with Article 9.2.a) of the GDPR, required the explicit consent of the data subject, which was absent in this case. Consequently, had it complied with these rules, META could have processed much less data than it did. The competitive advantage lies in the fact that this large amount of data allowed it to deliver more effective personalised advertising than its competitors. Therefore, the causal link is direct: the breach of the principle of minimization and the processing of sensitive data without express consent multiplied the amount of data available, enhancing the effectiveness of META's personalised advertising compared to its competitors.

Finally, although the ruling acknowledges that META uses more advanced technologies to create accurate profiles, it considers that the problem lies in the unlawful collection and use of data. Its competitors with limited data would not be able to replicate such profiles even if they used similar technologies. The advantage, therefore, arises from feeding its algorithms with massive and irregular information, which is unattainable under regulatory compliance. Thus, the causal link is that the infringements provided the raw material for technological precision, consolidating META's advertising superiority.

Consequently, the ruling upholds the action regarding the infringement of Article 15.1 of the LCD.

Infringement of Article 15.2 LCD

The plaintiff alleged, in addition to the infringement of Article 15.1 of the LCD, the violation of Article 15.2 of the same law. The difference between the two, as already mentioned, is that, in this case, the regulatory infringement must be of legal rules governing competitive activity, with the competitive advantage presumed.

In the present case, the rules infringed in this regard are those of Article 2.2(a) and (e) of the LCD, which correspond to those of Article 102(a) and (d) of the TFEU, which constitute abuse of a dominant position. The judgment adds that, to determine META's abuse of a dominant position, it is not sufficient to allege infringements. However, it is necessary first to prove META's dominant position. To assess whether a company is in such a position, it is essential to take into account the competitive structure of the market, i.e. to establish the relevant market.

Nevertheless, the judgment concludes that it has not been possible to determine the relevant market for the period analyzed, as neither the plaintiff's nor the defendant's expert report has identified it. Therefore, if the specific relevant market is not defined, it is impossible to provide solid evidence of abuse of a dominant position. Unlike the GDPR non-compliance claim -a follow-on action-, this constitutes a stand-alone action. 

Consequently, the action under Article 15.2 of the LCD that was brought in the lawsuit could not succeed, and the lawsuit was only partially upheld for infringement of Article 15.1 of the LCD. Consequently, the ruling proceeds to analyze the action for compensation or damages.

Compensation for damages

The judgment addresses compensation under Article 32.1 of the LCD, which allows for the exercise of the action for compensation for damages caused by unfair conduct if there has been intent or fault on the part of the agent. This action shares the structure of non-contractual liability under Article 1902 of the Civil Code (hereinafter, "CC") and therefore requires the concurrence of four elements: (i) unlawful action or omission; (ii) intent or negligence; (iii) economically assessable damage; and (iv) a causal link between the unlawful conduct and the damage suffered.

Analysis of the four elements

The unlawful conduct takes the form of behavioural advertising based on the processing of personal data without a legal basis, which involves the systematic and prolonged use of personal data outside the limits established by the GDPR. The infringement therefore extends from the field of data protection to the market, creating an unlawful competitive advantage over operators who complied with the regulatory framework.

The ruling also states that META was fully aware of the GDPR's regulatory impact on its business model, particularly regarding the limitations on tracking tools and advertising profiling. Despite this, it decided to abandon consent (Article 6.1.a) GDPR) as a legal basis and invoke the need for contractual performance (Article 6.1.b) GDPR) and legitimate interest (Article 6.1.f) GDPR), precisely to avoid the effects of the GDPR on its commercial activity. This behaviour reveals a conscious strategy of regulatory circumvention.

About the damage, the judgment specifies that it is not a direct loss -i.e., actual damage- but rather the profits lost by competitors as a result of the competitive advantage unlawfully obtained by META. In accordance with Article 1106 of the Civil Code, compensation must cover both actual damage and loss of profits, although in the present case, only the latter is applicable. In clear terms: if META accessed the advertising market through unlawful data processing, those who complied with the GDPR lost legitimate business opportunities.

Finally, the judgment distinguishes between the causality required in cases of actual damage and that applicable to loss of profits. In the latter case, it does not require a direct and visible causal link, but rather a reasonable and well-founded assessment of the loss of opportunities resulting from the unlawful conduct. 

Quantification of damage

The ruling addresses the quantification of damage with particular relevance, as it determines the legal and evidentiary criteria applicable to loss of profit resulting from an unlawful competitive advantage.

Firstly, the court agrees with META that the CNMC's Guide on the quantification of damages resulting from competition infringements14(hereinafter, the "Guide on the quantification of damages") does not apply to the present case, as it is aimed at infringements of Articles 1 and 2 of Law 15/2007 on the Defence of Competition. However, the present dispute is not based on an abuse of a dominant position, but on a competitive advantage unlawfully obtained through the infringement of the GDPR.

Notwithstanding that the Guide on Quantification of Damages is not applicable, the court considers it reasonable for the claimant's expert to use a simulation methodology that compares the actual scenario (with infringement) with the counterfactual scenario (without infringement). The exact scenario is based on objective data from the CNMC Study on competition conditions in the online advertising sector in Spain15: "while Facebook may account for more than 40% of display advertising revenue". Based on this parameter and META Ireland's revenue, it was estimated that META generated net revenue of €5,281.69 million in Spain between 25 May 2018 and 31 July 2023. To break down 2018, the months before the GDPR entered into force were excluded, resulting in an adjustment from June onward.

A key element of the reasoning lies in Article 217 of the Civil Procedure Act16(hereinafter, "LEC"), on the burden of proof. META did not provide its specific accounts in Spain during the proceedings, even though it was fully able to do so. This omission allows the judge to consider the amounts derived from the plaintiff's expert study as proven, in accordance with the judicial presumption under Articles 217.3 and 217.7 of the LEC. Consequently, the court finds that META's actual net income in the relevant period amounts to the aforementioned sum of €5,281.69 million.

The judgment rejects both parties' arguments regarding the possibility of differences between income obtained "in breach" and "without breach". The legal reasoning is compelling: META continuously breached the GDPR throughout the relevant period, without having a valid legal basis for the processing of personal data. Therefore, all income derived from this activity must be classified as "income obtained in breach".

Regarding the market unit and the plaintiffs' share, insofar as the plaintiff's advertising report was disregarded17, the court adopts the defendant's experts' argument and considers the Spanish advertising market as a whole, including both online and offline media, to be the market unit. Based on data from INFOADEX, a company that measures advertising investment, gross income is converted to net income using a conversion coefficient, enabling a uniform comparison of META's position with AMI's. AMI's annual market share is calculated using its yearly revenue, and this share is applied to META's net revenue to determine the plaintiffs' lost earnings.

The result for AMI amounts to €479.12 million, which is less than the €508.60 million initially claimed. The same methodology is applied to Europa Press and Radio Blanca, with final results of €2.57 million and €13,562.84, respectively.

About interest, the ruling is based on the logic of Directive 2014/104/EU18and Article 72 of the LDC, which considers the payment of interest to be an essential element of compensation. On this basis, the court sets the dies a quo as 31 December of each year in which META's unlawful income is generated -as this is the date on which it has already been produced, due and accounted for- with the particularity that for 2023, the starting date is taken as 31 July 2023, the last day of the relevant period.

Consequently, for all compensation items (AMI, Europa Press and Radio Blanca), the simple interest rate is applied, resulting in total interest of €60,467,156.85 for AMI, €328,059.28 for Europa Press and €1,467.72 for Radio Blanca.

• 1REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
• 2Judgment of the Commercial Court of Madrid of 19 November 2025, Ordinary Proceedings 109/2024. The judgment has not been published as of the date of publication of this note.
• 3Law 3/1991 of 10 January on Unfair Competition.
• 4  On 31 December 2022, the CPDI issued final decisions on investigations IN-18-55 (relating to the Facebook service) and IN-18-5-7 (relating to the Instagram service).
• 5Binding Decision 3/2022 on the dispute submitted by the Irish supervisory authority concerning Meta Platforms Ireland Limited and its Facebook service (Art. 65 of the GDPR), available at the following link.
• 6Paragraphs 118 and 122 of Binding Decision 3/2022.
• 7Judgment of the CJEU of 4 October 2024, C-446/21, Schrems, ECLI:EU:C:2024:834.
• 8Judgment of the CJEU of 4 October 2024, C-446/21, Schrems, ECLI:EU:C:2024:834, paragraphs 62 and 63.
• 9Judgment of the CJEU of 4 July 2023, C-252/21, Meta Platforms and others, ECLI:EU:C:2023:537.
• 10Judgment of the CJEU of 4 July 2023, C-252/21, Meta Platforms and others, ECLI:EU:C:2023:537, paragraph 117.
• 11Judgment of the CJEU of 24 February 2022, C-175/20, Valsts ieņēmumu dienests, ECLI:EU:C:2022:124, paragraph 74.
• 12Judgment of the CJEU of 4 October 2024, C-446/21, Schrems, ECLI:EU:C:2024:834.
• 13Judgment of the CJEU of 4 July 2023, C 252/21, Meta Platforms and others, ECLI:EU:C:2023:537, paragraph 51.
• 14Guide available at the following link: link.
• 15E/CNMC/002/2019, Study on competition conditions in the online advertising sector in Spain of 7 July 2021, page 9, available at the following link: link.
• 16Law 1/2000 of 7 January on Civil Procedure.
• 17It should be noted that both parties submitted two expert reports, one on advertising and the other on economics.
• 18Directive 2014/104/EU of the European Parliament and of the Council of 26 November 2014 on certain rules governing actions for damages under national law for infringements of the competition law provisions of the Member States and of the European Union.