On September 20, 2022, an adviser to the EU’s top court opined that competition authorities may consider a company’s compliance with the EU’s data protection rules as part of an abuse of dominance investigation.

In his Opinion (Opinion), Advocate General (AG) Athanasios Rantos of the EU's Court of Justice (CJEU) noted that competition authorities do not have direct jurisdiction to enforce non-antitrust legal frameworks, including the EU’s General Data Protection Regulation (GDPR). However, they may review a company’s privacy practices and take these into account as a factor (or as an “incidental question”) to determine if a company is abusing its dominant position. AG Opinions are non-binding, but the CJEU follows them in the majority of cases. If confirmed, the Opinion could empower the European Commission (EC) and national competition authorities to assess data protection violations as evidence of an abuse of dominance.

Background

The Opinion addresses a set of questions, referred to the CJEU by the Higher Regional Court of Düsseldorf (the “Referring Court”) in 2021,¹ seeking clarification as to whether a competition authority can assess and determine data protection violations as part of its investigations.

The case is the latest step in proceedings that started with the German Federal Cartel Office’s (FCO) 2019 finding that Meta (previously “Facebook”) abused its dominant position in the German market for social networks by collecting and combining user data from its Facebook platform with data gathered from other Meta services and third-party websites, without user consent. In the FCO’s view, users could not use Facebook’s services without having their data combined across services (i.e., this was a condition in the terms of use that each user had to accept to access the services). The FCO considered that such intensive data processing should only be possible where the user explicitly consents to such use of their data.² Under the GDPR, consent to the processing of personal data must be separate from the agreement to terms and conditions (“not bundled”) in order for it to be valid.

The FCO prohibited Meta from engaging in these data practices, deeming them a GDPR violation and an exploitative abuse under competition law. Meta sought to overturn the FCO’s decision in the Referring Court, which subsequently referred seven questions to the CJEU to help it assess the case.

Blurred Lines: The Opinion

The Referring Court mainly sought clarification on i) the competence of a competition authority to determine GDPR violations and ii) the required level of cooperation between competition and data protection authorities (DPAs), as well as several questions relating to the interpretation of GDPR provisions (such as on the scope of sensitive data).

The Opinion includes points on the intersection between the EU’s competition and data protection rules:

• GDPR compliance can play a role in determining anti-competitive conduct. The Opinion confirms that a competition authority is not competent to establish GDPR violations. However, such an authority can take into consideration as an “incidental question” whether a practice is compatible with the GDPR when assessing alleged competition violations. In particular, the authority may review a company’s privacy practices, to assess whether a dominant company is resorting to methods other than competition on the merits.
• Enforcement by a competition authority does not prevent a DPA from enforcing against the same facts. The AG opines that GDPR and competition rules pursue different objectives. Conduct relating to data processing may breach competition rules even if it complies with the GDPR; conversely, unlawful conduct under the GDPR does not automatically mean that it breaches competition rules. Thus, if a competition authority decides to impose measures on an undertaking based on an interpretation of the GDPR, it would not prevent another authority from ruling over the same set of facts.
• Competition authorities have a duty to inform and cooperate with DPAs. The AG noted that when competition authorities interpret compliance with the GDPR as part of their investigations, they should inform and consult with the lead DPA (i.e., the DPA of the EU Member State in which the company has its main establishment). However, the AG considered that a competition authority’s interaction with the national DPA in its jurisdiction, followed by an “informal” contact with the lead DPA, may be sufficient to fulfill the competition authority’s duties of diligence and sincere cooperation, in particular where the competition authority lacks the ability (given the applicable national law procedures) or the resources (linguistic or otherwise) to interact with the lead supervisory authority. Where a DPA has already ruled on the application of GDPR, competition authorities cannot deviate from that and they should also give priority to an ongoing or intended DPA investigation, to the extent possible, before commencing their own probe.
• Interplay between consent and dominant position. The AG notes that an undertaking’s dominant position on the market should be a factor when assessing whether consent is effectively freely given under GDPR. However, the AG considers that the mere fact that an undertaking enjoys a dominant position on the market does not, on its own, render invalid a user’s consent to the processing of their data.
• Broad interpretation of sensitive data. The AG notes that the GDPR’s rules on processing of sensitive personal data may apply where the user’s online interactions (e.g., websites visited) allow profiling the user on the basis of sensitive data (e.g., racial or ethnic origin, health, or sexual orientation of the data subject). The processing of sensitive data is prohibited by GDPR unless an exemption applies (e.g., where the data subject has consented or where they have manifestly made their data public). AG Rantos considers that users are not fully aware that they are making their personal data public by visiting websites and apps, entering data into those and clicking on buttons integrated into them. Therefore, sensitive data that is inferred from these interactions cannot be considered as “manifestly made public.”
• A need for guidance. The AG highlighted that there is no guidance on cooperation between competition and data protection authorities. This may prompt the EC and/or the European Data Protection Board (EDPB) to issue official guidance.

Key Takeaways

The FCO’s decision is the first time an EU competition authority has considered data protection rules as part of an abuse of dominance assessment (or any competition case). The previous policy was to draw a clear line between the two distinct frameworks, with the EC noting in Facebook/WhatsApp that while privacy can be a non-price parameter of competition, data concerns are firmly within the scope of the EU data protection rules and not competition. The court will also need to determine whether it wants to follow the AG’s broad interpretation of data protection rules that could have a far-reaching impact on online processing activities.

It remains to be seen whether the court will follow the Opinion, but a CJEU judgment will be handed down in the coming months. If the Opinion is followed, there is a risk that companies’ data practices could be scrutinized by both competition and data protection authorities, with the potential for inconsistent and conflicting enforcement and interpretations of the rules absent more structural cooperation. In the UK, the Digital Regulation Cooperation Forum ensures formal cooperation among the UK’s antitrust, data protection, and financial authorities on cases and policy matters, and there is hope that the EU’s Digital Markets Act’s envisioned high-level group for cooperation among enforcers³ will eventually mean a move to a less hermetic and more constructive approach to the interplay between competition and data protection rules in the EU. As it stands, there is limited legal certainty, and companies subject to competition investigations will need to be prepared to educate competition authorities on their data protection compliance.

For more information, please contact Jindrich Kloub, Beau Buffier, Cédric Burton, Laura De Boel, or another member of the firm's antitrust or privacy and cybersecurity practices.

Petros Vinis, Deirdre Carroll, Nikolaos Theodorakis, Laura Brodahl, Laurine Daïnesi Signoret, and Mia Gal contributed to the preparation of this Wilson Sonsini Alert.

---

^[1]Referring Court Press Release No. 11/2021, https://www.olg-duesseldorf.nrw.de/behoerde/presse/archiv/Pressemitteilungen_aus_2021/20210423_PM_Facebook-Beschluss/index.php.

^[2]The FCO based its finding of infringement on a theory of “exploitative abuse,” according to which a dominant company’s practice negatively affects its commercial partners or (in this case) customers/users directly rather than indirectly through the exclusion of competitors and a consequent reduction in competitive offerings (a so-called “exclusionary abuse”). The theory of an “exploitative abuse” has generally not been used by EC enforcers in the past except for cases related to excessive pricing.

^[3]Art. 40 of the Digital Markets Act provides for the establishment of a high-level group of regulators to provide advice and recommendations to the EC and to ensure coordination amongst national and sectoral enforcers (including data protection, national competition authorities, consumer protection, electronic communications, and audiovisual media).