In recent times, the intersection between competition law, consumer protection law and data privacy has come into focus, with data related issues increasingly coming under the spotlight of competition regulators.
A recent opinion of Advocate General Rantos (AG) in Case C-252/21 Meta Platforms v Bundeskartellamt considers specifically the overlap between competition and data protection in EU law. This non-binding opinion is significant as it paves the way for the Court of Justice of the European Union (CJEU) to find that competition authorities may take into account non-compliance with the General Data Protection Regulation (GDPR) during their investigations of competition law infringements.
The German Competition Authority (FCO) prohibited Meta Platforms (Meta) from processing data under the terms of service of one of its group companies (Facebook) on grounds that the data processing in question did not comply with the GDPR and constituted an abuse of Meta’s dominant position on the social media market in Germany.
Meta appealed the decision of the FCO arguing that the German competition authority had overstepped its authority by using its powers to address data protection concerns, which Meta argued was the remit of the data protection authorities. When the case reached the Higher Regional Court of Düsseldorf, that Court took the opportunity to refer a number of questions to the CJEU including questions on whether national competition authorities are entitled to assess compliance with the GDPR. While a number of questions about the interpretation of the GDPR were referred, this article focuses on the AG’s findings on the application of data protection law in competition regulation.
The AG’s findings
The AG’s key findings on the intersection of competition law with the protection of personal data can be summarised as follows:
- Competition authorities do not have jurisdiction to rule on an infringement of GDPR, however a competition authority is not precluded, when exercising its own powers, from being able to take account, as an incidental question, of the compatibility of conduct with the provisions of the GDPR.
- The compliance or non-compliance of a practice with the provisions of the GDPR may, in the light of all the circumstances of the case, be an important indication as to whether that practice amounts to a breach of competition law.
- Any assessment made by a competition authority in relation to GDPR compliance must be “without prejudice” to the powers of the competent supervisory authority under the GDPR. If a data protection authority is investigating a practice which is of interest or relevance in a competition investigation, and in the absence of an adequate cooperation mechanism under EU law, a competition authority should consult with the lead data protection authority when beginning an investigation into the same practice and may possibly have to “await the outcome of that authority’s investigation before commencing its own assessment”.
- In the case at hand, the mere fact that Facebook enjoys a dominant position does not call into question the validity of the consent of the user of that network to the processing of his/her personal data. However, dominance in a market can be taken into account when assessing the question of free and effective consent which it is up to the data controller to demonstrate.
This opinion is significant as it raises the possibility of competition authorities addressing GDPR compliance concerns, despite not having jurisdiction to make findings in respect of GDPR infringements or to enforce EU privacy laws, in circumstances where the compliance is an incidental question to the commercial practice under investigation by the competition authority and where it cooperates as necessary with the competent data protection authority.
This case and the AG’s opinion is significant and novel in recognising that whether commercial practices are GDPR compliant may be a relevant consideration in assessing competition law infringements, thereby opening up a new avenue of enquiry for competition authorities and a new layer of complexity for firms the subject of scrutiny by competition and data protection regulators.