CAN COMPETITION AUTHORITIES ASSESS THE GDPR COMPLIANCE OF PERSONAL DATA PROCESSING AS PART OF THEIR ANTITRUST ENFORCEMENT ACTIVITIES?
In his opinion delivered on 20 September 2022, Advocate General Athanasios Ranthos, in Case C-252/21, proposed for the Court of Justice of the European Union to find it compatible with Articles 51 et seq. of Regulation (EU) 2016/679 (“GDPR“) that a competition authority of a member state may assess, in the exercise of its powers, whether a commercial practice involving the processing of personal data complies with the rules of the GDPR .
In affirming this, the BKartA recalled two precedents, the VBL-Gegenwert case and the Pechstein case, in which the Federal Court of Justice considered as abuse of a dominant position certain conducts that violated, in one case, the German Civil Code, and in the other, constitutional rules. Specifically, in the second case, the Federal Court held that competition rules must be applied when a company in a dominant position has the power to affect the other party’s constitutional rights in light of its position in the market. According to the BkartA, this principle should also be applied to the present case, where the rules of the GDPR are being violated. In fact, the purpose of that Regulation is precisely to prevent the creation of asymmetries of power by ensuring a balancing of interests between data subjects and data controllers.
Meta subsequently appealed the BkartA’s decision, claiming that the assessment made by the Authority was not admissible, because it had involved the application of the GDPR by an authority (the competition authority) other than the one competent under the law (the data protection authority). The German court, therefore, referred the case to the Court of Justice for a preliminary ruling, asking the Court to rule on whether the competition authority has the power to ascertain the compliance of the conditions for the processing of personal data with the GDPR even when, pursuant to Article 56(1) of the Regulation, the competent supervisory authority has itself initiated an investigation on them.
As of the date of this article, the Court of Justice has not issued its preliminary ruling but, as anticipated, AG Ranthos in his conclusions assessed that, in the case at hand, the BKartA’s decision complies with the rules of the GDPR. Indeed, according to the AG, even if a competition authority of a member state does not have jurisdiction to find an infringement of the GDPR, nevertheless in the exercise of its powers it may find that a business practice is incompatible with that Regulation. However, the competition authority’s decision under this approach would be admissible only incidentally, insofar as the fact that a practice complies with the GDPR may be a relevant factor in determining whether a business practice violates competition rules. That being said, the competition authority must still respect the powers and competences of the data protection authority, and this implies that it must share with it any relevant information, must take into account any of its investigations and decisions, and must consult with it when necessary.
The Advocate General’s approach seems acceptable, considering that, among other things, the Italian Competition Authority itself, in the areas of its competence, has already on several occasions incidentally assessed the compliance with the GDPR of certain conduct in the market, including in the area of unfair commercial practices towards consumers. Moreover, in the context of competition cases, in markets based on the processing of significant amounts of personal data, it seems inevitable that potential market abuses should also be read through the assessment of the compliance with the GDPR. Indeed, any non-compliance may itself become index of distortive behaviour, in the form of abuse of dominance.