CAN COMPETITION AUTHORITIES ASSESS THE GDPR COMPLIANCE OF PERSONAL DATA PROCESSING AS PART OF THEIR ANTITRUST ENFORCEMENT ACTIVITIES?
In his opinion delivered on 20 September 2022, Advocate General Athanasios Ranthos, in Case C-252/21, proposed for the Court of Justice of the European Union to find it compatible with Articles 51 et seq. of Regulation (EU) 2016/679 (“GDPR“) that a competition authority of a member state may assess, in the exercise of its powers, whether a commercial practice involving the processing of personal data complies with the rules of the GDPR .
The main proceedings, which led to the request for a preliminary ruling to the CJEU, concerned the German federal competition authority, the Bundeskartellamt (BKartA), who had found Meta Platform’s processing of personal data in accordance with Facebook’s terms of use to be in violation of the GDPR. In fact, when signing up for the social network, users have to agree to terms of use that allow Meta to collect personal data from other services of the company, third-party applications, as well as other websites. This is made possible through the integration of interfaces into the sites and through the use, on the user’s computer or mobile device, of cookies and similar technologies. In its decision, however, the German competition authority found that this way of collecting and processing personal data by Meta violated GDPR principles on the processing of personal data and imposed measures directed at the cessation of such activities, considering this violation also relevant as a form of abuse of a dominant position. Indeed, according to the BkartA, in order to assess the behavior of an enterprise, and possibly ascribe it to abuse of a dominant position under German competition law, it is also necessary to consider the data processing conditions applied by the enterprise. In this case, the very fact that Meta was able to impose certain terms and conditions on users for them to use Facebook, which did not comply with the GDPR, is a manifestation of abuse of the company’s position of power.
In affirming this, the BKartA recalled two precedents, the VBL-Gegenwert case and the Pechstein case, in which the Federal Court of Justice considered as abuse of a dominant position certain conducts that violated, in one case, the German Civil Code, and in the other, constitutional rules. Specifically, in the second case, the Federal Court held that competition rules must be applied when a company in a dominant position has the power to affect the other party’s constitutional rights in light of its position in the market. According to the BkartA, this principle should also be applied to the present case, where the rules of the GDPR are being violated. In fact, the purpose of that Regulation is precisely to prevent the creation of asymmetries of power by ensuring a balancing of interests between data subjects and data controllers.
Meta subsequently appealed the BkartA’s decision, claiming that the assessment made by the Authority was not admissible, because it had involved the application of the GDPR by an authority (the competition authority) other than the one competent under the law (the data protection authority). The German court, therefore, referred the case to the Court of Justice for a preliminary ruling, asking the Court to rule on whether the competition authority has the power to ascertain the compliance of the conditions for the processing of personal data with the GDPR even when, pursuant to Article 56(1) of the Regulation, the competent supervisory authority has itself initiated an investigation on them.
As of the date of this article, the Court of Justice has not issued its preliminary ruling but, as anticipated, AG Ranthos in his conclusions assessed that, in the case at hand, the BKartA’s decision complies with the rules of the GDPR. Indeed, according to the AG, even if a competition authority of a member state does not have jurisdiction to find an infringement of the GDPR, nevertheless in the exercise of its powers it may find that a business practice is incompatible with that Regulation. However, the competition authority’s decision under this approach would be admissible only incidentally, insofar as the fact that a practice complies with the GDPR may be a relevant factor in determining whether a business practice violates competition rules. That being said, the competition authority must still respect the powers and competences of the data protection authority, and this implies that it must share with it any relevant information, must take into account any of its investigations and decisions, and must consult with it when necessary.
The Advocate General’s approach seems acceptable, considering that, among other things, the Italian Competition Authority itself, in the areas of its competence, has already on several occasions incidentally assessed the compliance with the GDPR of certain conduct in the market, including in the area of unfair commercial practices towards consumers. Moreover, in the context of competition cases, in markets based on the processing of significant amounts of personal data, it seems inevitable that potential market abuses should also be read through the assessment of the compliance with the GDPR. Indeed, any non-compliance may itself become index of distortive behaviour, in the form of abuse of dominance.