Is competition law taking over data protection claims?


The Bundeskartellamt made headlines a few years ago with its decision that Facebook had infringed competition law through its data collection practices (see our summary here). After various further steps, including a trip to the German Supreme Court (see here), this long-running saga has now reached its next chapter, in the form of an Opinion from AG Rantos.

The Opinion deals with a number of questions referred to the CJEU by the Düsseldorf Higher Regional Court. These relate to two main topics:

  1. A procedural issue: does a national competition authority have the competence to examine the conduct of an undertaking under the GDPR?
  2. Substantive issues: how should GDPR provisions be interpreted with regard to processing sensitive personal data, including whether consent can be given freely to a dominant undertaking?

The views of AG Rantos on the substantive GDPR questions may well be of interest to those working in data protection, as there have been few opportunities for the higher courts to consider the GDPR to date. However, it is AG Rantos’ thinking on the first topic that is particularly interesting.

AG Rantos considered it “obvious” that a competition authority “does not have the competence to make a ruling, primarily, on a breach of [the GDPR] or to impose the penalties envisaged”. However, he also considered that to be irrelevant. He reasoned that there is nothing in the GDPR which prevents a competition authority “from being able to take account, as an incidental question, of the compatibility of conduct with the provisions of the GDPR”. The competition authority is still assessing whether or not there has been a breach of competition law.

To some extent, this approach dodges the question. After all, a competition authority assessing the GDPR as part of a competition law investigation, even if only in an ‘incidental’ manner, is still assessing the GDPR, regardless of whether the ultimate sanction comes under competition law.

On the other hand, as AG Rantos noted, compliance (or non-compliance) with the GDPR “may be a vital clue” as to whether conduct amounts to competition on the merits. AG Rantos refers to the AstraZeneca line of CJEU case law, which explains that conduct permitted by other legislation can still result in an abuse of dominance, in specifying that “conduct relating to data processing may breach competition rules even if it complies with the GDPR”. AG Rantos also suggests that if competition authorities are unable to interpret the GDPR, this could affect the efficacy of EU competition law. This is presumably because if a company isn’t complying with the GDPR, that could be a clue that its behaviour is anti-competitive. However, this clue may only come to light if the authority is able to consider the GDPR as part of its competition law assessment.

What does this mean in practice?

AG Rantos suggests that the “competition authority’s interpretation of the GDPR solely for the purpose of applying the rules (and possibly imposing penalties) provided for by competition law” will not affect the competency and powers of the data protection authorities. Further, the competition authorities are subject to duties of diligence and sincere cooperation requiring them to consult with the relevant data protection supervisory authority, and to take account of any GDPR decision or investigation of the competent supervisory authority.

This may well all be true. However, this approach does still seem to offer the competition authorities considerable leeway to pursue data protection issues as a competition law matter, particularly if the data protection authorities are not investigating the issue themselves.

Digital markets are an area of focus for many competition authorities at the moment. There are a number of high-profile ongoing investigations by the European Commission, CMA, and other national authorities. In such investigations, authorities may come across issues that they consider give rise to data protection issues capable of affecting competition. Alternatively, they may be tempted to follow the Bundeskartellamt’s example and open up new investigations based on data-related issues.

If the CJEU follows AG Rantos’ opinion (which is not guaranteed), it would act as a green light for competition authorities to engage with the GDPR. Competition authorities tend to be larger and more well-resourced than data protection authorities. If they see data protection issues as a means of holding anti-competitive conduct to account, we could see more examples of competition authorities taking the lead on investigations that might seem to fall more obviously within the remit of data protection authorities under the GDPR. Where a company benefits from the GDPR’s one-stop shop principle, it would be frustrating for that company to instead (or simultaneously) have to deal with a competition authority on similar issues.

Even if data protection authorities continue to drive the process, we expect data-related issues to come up in competition law cases on a much more frequent basis in the future. As the importance of data and technology continues to grow in day-to-day life, both competition and data authorities will want to keep a careful watch for conduct that could harm consumers.