Competition authorities may assess GDPR compliance in abuse of dominance cases

Greater powers handed to national competition authorities as the interplay between competition law and data protection in digital markets continues to gain momentum in the EU

On 4 July 2023, the Court of Justice of the European Union (CJEU) handed down its judgment in a case which examined whether the German Federal Cartel Office (FCO) acted beyond the scope of its powers when it determined that Meta had abused its dominant position by collecting and using its subscribers’ personal data in contravention of the EU General Data Protection Regulation (GDPR). 

The ruling follows the Düsseldorf Higher Regional Court’s request for clarification as to whether the FCO’s findings for an abuse of dominance were compatible with Article 51 GDPR (which requires each EU member state to establish a public authority responsible for GDPR enforcement), given the FCO is not a ‘supervisory authority’ as defined by Article 51.

The decision largely aligns with AG Rantos’ opinion that national competition authorities (NCAs) may invoke data protection rules in antitrust investigations, and represents the first such ruling from the CJEU.  Non-compliance with GDPR obligations may therefore be a relevant consideration in establishing an abuse of a dominant position.

Background

Meta Platforms Ireland operates Facebook within the European Union.  In order to join the social network, users are required to accept the general terms and conditions drawn up by Meta (and, by extension, the data and cookies policies). 

Meta’s processing of personal data manifests itself through the collection of user- and device-related data about user activities both on and off the social network, and the linking of the data with the Facebook accounts of the users concerned. 

The latter data (referred to as the “off-Facebook data”) comprises data concerning visits to third-party webpages and apps, which are linked to Facebook through programming interfaces, as well as data concerning the use of other online services belonging to the Meta group (such as WhatsApp and Instagram).  The data are used (inter alia) to create personalised advertising for Facebook users, a fundamental pillar of Meta’s business model.

In 2019, the FCO issued a decision prohibiting Meta Platforms, Meta Platforms Ireland, and Facebook Deutschland, from making, through the general terms under the user agreement, the use of Facebook by private users resident in Germany subject to the processing of off-Facebook data without their consent.  The FCO’s decision was predicated on the fact that the processing of this data, as provided for under the general terms and implemented by Meta Platforms Ireland, was not consistent with the GDPR and thus constituted an abuse of dominance on the market for online social networks for private users in Germany under German competition law.

Following a series of appeals, the Higher Regional Court in Düsseldorf asked the CJEU for clarification (inter alia) as to whether (i) NCAs may review whether a data processing operation complies with GDPR requirements, and (ii) whether the data processing undertaken by Meta could be justified as lawful under the Article 6(1)(f) GDPR “legitimate interests” legal basis (i.e., the processing is necessary for Meta’s legitimate interests and such interests are not overridden by users’ rights and freedoms).

Ability for NCAs to determine GDPR compliance

With access to personal data and the possibility of processing such data becoming an increasingly significant parameter of competition between undertakings active in digital markets, the CJEU has signalled that excluding from consideration a review of data protection rules when assessing a potential abuse of market dominance would undermine the effectiveness of EU competition law.

The CJEU’s judgment thus held that “… in the context of the examination of an abuse of a dominant position by an undertaking on a particular market, it may be necessary for the competition authority of the Member State concerned also to examine whether that undertaking’s conduct complies with rules other than those relating to competition law, such as the rules on the protection of personal data laid down by the GDPR."

The CJEU is clear in its view that while NCAs are expected to consult and cooperate with the relevant supervisory authorities established by the GDPR (and cannot depart from any prior decision made by such supervisory authority), they are free to draw their own conclusions from the point of view of the application of competition law.  

Processing of data and the “legitimate interests” legal basis

The judgment also clarifies how companies may use consent for the processing of sensitive personal data.  Where Meta had sought to rely upon legal bases under the GDPR other than consent to process data for the purposes of personalising content and advertisements, the CJEU held that companies need to prove that consent is freely given and allow users to withdraw consent, without them being obliged to relinquish the use of the social network service.  By extension, the mere visits to certain websites or clicking a “like” button does not mean that the user manifestly makes public their data within the meaning of the GDPR. 

As regards the use of data processing for the purposes of providing personalised advertising, Meta initially sought to rely on the Article 6(1)(b) GDPR legal basis of “contractual necessity” – that is to say, the processing is necessary for the performance of a contract to which the user is a party.  

Following a finding by the Irish Data Protection Commission in January 2023, Meta changed the legal basis to one of “legitimate interest”.  Here, the CJEU held that the processing of data, including non-sensitive data, can be justified only under those GDPR provisions that do not require consent where it is “objectively indispensable” for fulfilment of the contractual obligations.  

This finding was a slight departure from AG Rantos (who suggested that data processing must be “objectively necessary” for performance of the contract, i.e., that “there must be no realistic, less intrusive alternatives”), but broadly in line with guidance issued by the European Data Protection Board in October 2019.  The CJEU expressed doubts as to whether personalised content or the consistent and seamless use of Meta’s own services are capable of satisfying those criteria, but ultimately reserved this question for the German court.

Lastly, the CJEU highlighted that the fact that a social network operator may be dominant does not preclude its users from validly giving their consent within the meaning of the GDPR to the processing of their data.  However, given the position of dominance may affect users’ freedom of choice, thus creating an imbalance between user and data controller, it does represent an important factor in determining whether the consent was in fact validly and, in particular, freely given (the burden for which rests with the operator).

Key takeaways

The CJEU’s decision marks a significant step in affording antitrust regulators greater flexibility in investigating companies active in digital markets.  It signals that, during antitrust investigations, it may be necessary for NCAs to examine whether a company’s conduct complies with regulations beyond those related to competition law.

In particular, GDPR compliance may serve as a “vital clue” as to whether a dominant company’s behaviour follows the rules that govern normal competition.  It remains to be seen whether a GDPR infringement is in itself sufficient to constitute an abuse by a dominant entity, but the decision is nevertheless expected to have far-reaching effects on business models in this sector.

The CJEU has highlighted that the NCAs would not replace data protection supervisory authorities, and must cooperate with the relevant GDPR watchdogs to ensure a consistent application of the legislation.  NCAs may not deviate from any prior decisions by courts or supervisory authorities, but may draw their own conclusions with respect to the competition law aspects of a case. 

However, given NCAs are able to deem behaviour which breaches GDPR as compliant with competition law, and vice versa, it is unclear under what circumstances NCAs may deviate from the positions adopted by the supervisory authorities without contravening their obligation to conform.  It will also be interesting to see how the ability of NCAs to assess organisations’ compliance with the GDPR affects the so-called one-stop-shop procedure, under which an organisation can designate a supervisory authority to act as its ‘lead’ GDPR authority.

The operation of the one-stop-shop has at times created tensions between competing supervisory authorities, particularly in respect of the regulation of large U.S. technology companies, and the introduction of additional regulatory authorities – i.e., NCAs – into that mix could make matters even more complicated.   

Going beyond the scope of the questions referred to it, the CJEU also appears to establish a highly restrictive approach to the treatment of data processing and the use of “performance of a contract” as a legal basis to do so.  According to the CJEU, companies would remain able to continue to carry out personalised advertising, but would be expected to obtain valid consent.

In such instances, users must be able freely to refuse to consent to this processing without being denied access entirely to the service, and should be offered an equivalent alternative not subject to such data processing, possibly for a fee.  The potentially wide-ranging commercial impact of such an approach could be an unintended consequence of the CJEU’s commentary.

The case now returns to the FCO, where legal proceedings will resume.