Data plays a huge role in many organisations' business models, so data processing issues are increasingly arising in the context of competition law investigations. This leads to a growing overlap between the roles of competition authorities and data protection authorities.
Traditionally, these regulators operate in very different spaces and have very different regulatory functions. However, when investigating a breach of competition law, can a national competition authority (NCA) consider an alleged breach of the General Data Protection Regulation (GDPR)?
A reference from the German courts to the Court of Justice of the European Union (CJEU) in Meta Platforms and Others v Bundeskartellamt (C-252/21) asks that very question.
National Proceedings Leading to the Preliminary Reference
The preliminary reference stems from a finding of the Bundeskartellamt (the German national competition authority or Federal Cartel Office (FCO) in 2019 that Meta – at that time known as Facebook – collected user and device-related data from other corporate services and Meta business tools without the users' proper consent and collated that data for highly personalised advertising. The FCO found that this heightened barriers to market entry for other competitors and created a 'lock-in effect' for users. The FCO, therefore, identified an abuse of a dominant position in the form of exploitative business terms under the German Act against Restraints of Competition.
The FCO argued that NCAs could and should assess data processing activities when investigating companies like Meta to determine their compliance with the GDPR rules, "which are based on constitutional rights" and which "have to be included in assessments of interests under competition law".
However, this view is controversial. Article 51 of the GDPR entrusts the GDPR policing role to "supervisory authorities", such as the Irish Data Protection Commission (DPC) and its counterparts in other EU member states. A concern is that allowing an NCA to act as a data protection enforcer goes against Article 51 GDPR. There is also concern that allowing an NCA to investigate GDPR breaches cuts across the "one-stop shop" principle. Given that Meta's "main establishment" in the EU is in Ireland, Meta argues that the DPC should have investigated any alleged infringements of data protection law.
Meta challenged this decision, leading to a preliminary reference from the German court to the CJEU.
Questions Submitted to the CJEU
Among the questions submitted, the German court asked the CJEU to determine whether:
- an NCA is competent to find an infringement of the GDPR in the course of its competition investigation and make orders to remedy such breach, even if it is not a supervisory authority within the meaning of the GDPR; and
- the FCO's findings were valid in light of the DPC's decision regarding the same subject matter, which reached a different conclusion regarding Meta's data processing practices.
Opinion of the Advocate General
Last month, the Advocate General at the CJEU Athanasios Rantos published his opinion.
In his opinion, AG Rantos made a distinction between, on the one
hand, a "primary" analysis of a breach of the GDPR and,
on the other, a "secondary" analysis of GDPR compliance
as part of a broader legal and economic context when applying
competition rules.
In relation to a "primary" analysis, the Advocate General
concluded that an NCA does not have the power to find a breach of
the GDPR within its competition proceedings nor to make orders to
remedy such breach.
However, on "secondary" analysis, the Advocate General
argued that, in exercising its powers as a competition authority,
the NCA could consider – in an incidental way – whether
a commercial practice is compatible with the GDPR. Considering all
the circumstances of the individual case, this could be "an
important indication" for the NCA in determining whether that
practice constituted a breach of competition law.
Therefore, the Advocate General concluded that while it is not
within the powers of an NCA to undertake a "primary"
analysis of GDPR compliance, it is open to an NCA to consider GDPR
compliance issues that are "secondary" to broader
competition analysis.
AG Rantos concluded that because competition and GDPR rules pursue
different objectives, allowing an NCA to investigate the same set
of facts as previously investigated by a data protection regulator
would not create the risk of a double ruling over the same set of
facts.
However, AG Rantos also concluded that without established
cooperation mechanisms between the two types of authorities, the
NCA must under EU law cooperate in good faith with and inform the
competent supervisory authority when beginning such investigation.
The NCA may have to await the outcome of the supervisory
authority's investigation before starting its assessment. In
the present case, the Advocate General considered that the FCO
fulfilled this duty by contacting the DPC informally before making
the conclusions for its competition proceedings against Meta.
It remains to be seen whether the CJEU will follow this legal
assessment. The CJEU is not bound to follow the Advocate
General's opinion but generally does so.
Potential impact
Assuming that the CJEU follows the opinion of the Advocate General in this case, it may be open to the CCPC and other NCAs to take into account, in an incidental way, compliance with the GDPR when investigating alleged breaches of competition law. As these areas of law intersect, businesses of all sizes should address these legal risks in the round.
Contributed by Karolina Rozhnova
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.