More than ever, the combination of personal data is of interest, in that it poses a risk not only to be in violation of the GDPR, as the French Data Protection Authority (CNIL) believed in its sanction of Google LLC, but also in relation to Competition law, as indicated by the German competition authority’s February 2019 decision on abusive exploitation, although temporarily suspended until the German Federal Court of Justice’s judgment. While transparency seems to be a key element in containing this risk, uncertainties remain regarding its specific implementation.
1 - With the entry into force on 25 May 2018 of the General Data Protection Regulation 2016/679 (GDPR), the principles of personal data protection have continued to extend their scope. It must be recognized that their fundamental concepts are interpreted widely. With a few rare exceptions, such as activities for purely domestic purposes, the GDPR applies to any processing of personal data. In practice, the consequences are considerable. This concerns the slightest operation, i. e. both the collection, storage, hosting, transmission or deletion, and, of course, the combination of any information relating to an identified or identifiable natural person. All areas of activity are therefore exposed, from the public to the private sector. Even the religious sphere is no exception, as the judgment of the Court of Justice of the European Union dated 10 July 2018 against the preaching activities of Jehovah's Witnesses has once again emphasized.
Beyond these sectors of activity, the principles of personal data protection also extend to other areas of the law. Admittedly, this phenomenon is not entirely new. Labor law and Consumer law were the first to use its principles. This phenomenon of extension is nevertheless accelerating significantly, as shown by the succession of judgments, such as the one handed down by the Paris Court of the First Instance on 12th February 2019 that declared the terms provided for in the general conditions for use of the Google social network to be unfair on the grounds that they provided general information not allowing users to assess the extent of the collection of their personal data or the scope of their commitments. This trend is not limited to France. In January 2020, the Administrative Regional Court of Lazio partially confirmed a 10 million fine the Italian Competition Authority (ICA) had imposed on Facebook in 2018. This fine was based on, among others, pre-selected data-sharing settings that the ICA deemed to fall under aggressive commercial practice according to the Italian Consumer Code. As we will further analyze below, Competition law is no exception to this everincreasing reach of the principles of data protection.
Previously, the competitive analysis of personal data markets was essentially focused on considerations of which the practical impact had remained limited. In its 2014 Facebook/WhatsApp and 2016 Microsoft/LinkedIn decisions, the European Commission considered that these entities were operating in several distinct relevant markets: social networking services for Facebook, professional social networking services for LinkedIn and Internet advertising services. It had thus authorized the proposed concentrations, without considering that a dominant position was being created or strengthened on these markets. In its view, the volume of data accumulated was considerable, but insufficient for the entities resulting from the acquisitions to benefit from an irretrievable advantage. The analyses then focused on quantity rather than on other criteria, such as the quality of the information, in particular, regarding its potential for reuse for other purposes, including advertising. Although these analyses took a step forward with the 2016 joint study carried out by the French and German national competition authorities, they still faced a major factual obstacle, namely that personal data cannot constitute a relevant market in its own right, that is the place where supply and demand for a specific product or service meet. It must be noted here that personal data, in itself, do not constitute such a product or service.
While their capture is subject to fierce competition between actors whose economic models are based on their exploitation, the non-financial nature of data strongly tends to exclude them from the definition of relevant market adopted by Competition law. In reality, the exploitation and use of personal data is more of a market power factor. This is particularly so where the relevant markets are characterized by a strong network effect, i.e. the way in which the use of a good or service by a given user influences the value that the good or service will present for other users.
In such a context, however, the wide availability of personal data could contribute to reducing the competitive advantage attached to their collection and retention. The data are indeed of a non-rival nature. Their capture and exploitation by an economic agent do not deprive others of the possibility of also using them. The French and German national competition authorities had noted in their 2016 Study that this non-rival nature is part of a multi-hosting context, with the user being able to provide its personal data to several providers offering the same type of service or similar services, with the limit - substantial in an online universe - that users mainly turn to the most efficient service.
In the field of merger control, competition authorities therefore remain alert to the risk of foreclosure of competitors linked to access to personal data and the preservation of the diversity of service offers on the Internet. They are equally vigilant to the possibility of abuse of a dominant position. Although temporarily suspended by the High Regional Court in Dusseldorf until the German Federal Court’s judgment, this was demonstrated by the 6th February 2019 decision under which the Bundeskartellamt sanctioned Facebook for conduct that it deemed to qualify as abusive exploitation in the German non-professional social networking market, on the grounds that the platform's general conditions allowed it to collect both systematically and massively the personal data of its users without their consent, and then combine this information and, in so doing, strengthen its market power by creating this unique database on each of its users. This decision was above all a turning point, in that it was accompanied by injunctions, but without imposing any financial penalty. Facebook was given 12 months to remove from its terms and conditions that the use of its social networking platform is conditional on the collection and use of data from other services such as WhatsApp and Instagram. The deadline was even reduced to only 4 months to submit technical solutions to the German competition authority to ensure compliance with these injunctions. Further to the Dusseldorf’s High Regional Court suspension order, Facebook did not have however to comply with the injunction. Although the Court specifies that violation of data protection rules based on large combination of datasets would not automatically be an infringement of competition law (in particular, an abuse of a dominant position) at the same time, the merits of the case is still of significant interest until the German Federal Court hands down its judgment.
2 Dominant position on the German social networking market. One of the interests of the Bundeskartellamt decision concerns the qualification of the market on which the dominant position can be exercised. Such a qualification was not so obvious because personal data are usually free of charge. The vast majority of services provided online (such as search engines, social networks and communication applications) are based on the economic model of free access for users, with the sharing of their personal data then giving rise to value between economic actors.
In this respect, online platforms operate in a two-sided market. While providing a service to Internet users in return for the collection of their personal data, they market this data in another market (particularly in the online advertising market) in order to finance their activities. In order to be able to qualify Facebook's conduct as abusive exploitation, the Bundeskartellamt therefore had first to find that the social network did indeed hold a dominant position on the national, in this case German, social networking market.
To do this, the German competition authority did not rely on an excessively complex economic analysis. It is based on the fact that Facebook has a market share of more than 90% in Germany for social network services in terms of users. Of the 2.3 billion active users per month worldwide, 32 million reside in Germany, of which 23 million are active on a daily basis. This situation has become all the more important as with the disappearance of Google+ from the market, there are only a few small competing local suppliers left.
3 The Bundeskartellamt’s interpretation of abusive exploitation. In fact, such a situation has been a problem for the Bundeskartellamt, especially since, for this authority, Facebook's market power is essentially based on access to users' personal data, economies of scale, network effects and competitive pressure induced by innovation. It is on this subject that Competition law and Personal Data law are at a crossroads. This is the challenge presented by a major phenomenon that is not new: the combination of personal data.
It should be recalled that this phenomenon was at the origin of the adoption in the 1970s of national laws for the protection of information then qualified as nominative, in particular by the French Act adopted on January 6, 1978. Certainly, at that time, the risk did not come from social networks. They did not yet exist. The risk was that of large public authorities’ databases. But, in reality, this circumstance has not changed. The risk simply migrated from the public to the private sector. Directive 95/46/EC of October 24, 1995 took this into account by moving the cursor on the protection of personal data from the criterion of the public or private nature of the body carrying out the processing operation to the criterion of the sensitivity of the information in question. In this respect, the GDPR has only taken a further step forward, as it is based on a risk-based approach in order to better understand a phenomenon of "fragmentation" of processing operations in which both the number of recipients and, in so doing, the possible re-uses of the information they receive for their own purposes have multiplied.
In our opinion, the German competition authority has taken this fact into consideration in its decision. We are far from excessive prices here, since the use of Facebook is free. The Bundeskartellamt’s finding of abusive exploitation is in fact based on Facebook's systematic collection of its members' personal data, but above all on the combination of the latter with the data from the other social networks that it owns. This combination is achieved through feedback not only from WhatsApp and Instagram, but also from other social networks and even other third-party websites that have integrated the "Like" button.
According to the German competition authority, this device has enabled Facebook to build a single database for each user over time and, in so doing, significantly strengthen its market power. The logic is simple: the more data a social network accumulates on each of its users, the more attractive and, above all, the more valuable its advertising space becomes. This allows it to further optimize its own service and continuously attract users who are improving their chances of communicating with new contacts. The Bundeskartellamt concluded that the "network effects" strengthen Facebook's dominant position, as well as the foreclosure effects at the expense of other social network providers, and contribute to the additional competitive harm to Facebook's competitors in the social network advertising market that characterizes the abuse of its position.
4 Transparency. For the German competition authority, this situation was actually a consequence of Facebook's general terms and conditions of use, which, according to the Bundeskartellamt, do not allow users to be aware of the extent of the processing of their data or, consequently, to obtain their informed consent in this respect.
On this point, such an assessment fully converges with that of the personal data protection authorities, which had also been asked, at least in Germany, in this case. It is also on the grounds of the extent of the processing in the absence of user consent that the French personal data protection authority imposed a fine of EUR 50,000.000 EUR against Google LLC. It was also inspired by the opinion already delivered by the Article 29 Working Group (before being replaced by the European Data Protection Committee, which adopted its conclusions) on a central concept of the GDPR: transparency.
This concept, which has particularly serious consequences for market practices that depend on users' choices, now plays a decisive role in competitive analysis. It is therefore a question of guaranteeing everyone their right of control over their own data, which both German and French law on personal data describes as a principle of "informational self-determination".
Despite the convergences, however, one point still seems to us to be under discussion: the legal basis of the processing operation. The German competition authority relied on consent. Admittedly, this principle is historically fundamental in the legal tradition in Germany. However, it is not the only valid legal basis, including in the case of a combination of personal data.
However, on this point, the sanction decision adopted by the French personal data protection authority (CNIL) against Facebook on 27 April 2017 seems to us to be particularly enlightening. Even if the CNIL then considered that the conditions were not met in the case in question, it nevertheless admitted on that occasion that Facebook's combination of personal data in the context of statistical business intelligence processing may not need to be based on consent, but on the legitimate economic interest of the controller in offering a free and relevant service to users.
Certainly, safeguards are required. The legitimate interest is only applicable if the data subject is duly informed and given the opportunity to object. In the end, the combination is not without limits. On the contrary, it is well supervised and must always be transparent. In practice, however, the mechanism of opt-out instead of opt-in allows for a much wider collection potential since, in the event of silence on the part of the user, his or her personal data are in principle processed.
There is therefore a first friction between Competition law and Personal Data law, since the latter does not systematically analyze as abusive a processing of personal data that is not based on consent, even if it is particularly broad, as long as it is not massive.
This, in our opinion, is probably where the real issue lies. As the CNIL has already noted in its sanction of Google LLC, it is the scale of the transactions in question, i.e. the wide range of different sources from which the data are derived that drives the analysis, particularly in a world where customer knowledge is a significant competitive advantage.
In such an environment, however, it should not be forgotten that the Court of Justice of the European Union considers that Facebook is not the only one responsible for these processing activities. The role of Facebook is certainly important, but it is only one of the joint data controllers. Following Advocate General Bobek's Opinion for the Fashion ID case the same capacity applies to the choice of website publishers to install a social network module on their websites.
Let us not forget that these publishers benefit in this respect from a renewed visibility, making them also joint data controllers. All these reasons should legitimately lead to the Court of Justice of the European Union - even if it had already ruled on the economic model of search engines in its Google Spain judgment – being brought to give a definitive answer on this question, in order to fully balance fundamental principles such as the right to respect for private life and the need for the free flow of information in an environment where access to personal data is now by far the most decisive competitive issue.
