Over the years, personal data has become an increasingly central aspect of personal and professional life. As such, it is unsurprising that data protection law has both grown in prominence and begun to overlap with other areas of law.
This article considers the specific overlap between competition and data protection in EU law, which returned to the spotlight on 20 September 2022, following the Opinion of Advocate General Rantos in Case C-252/21 Meta Platforms v Bundeskartellamt.
The traditional, separationist approach
Traditionally, competition and data protection issues have been kept separate in EU law. This is reflected in the Court of Justice of the European Union’s statement in Case C-238/05 Asnef-Equifax, that: “any possible issues relating to the sensitivity of personal data are not, as such, a matter for competition law, they may be resolved on the basis of the relevant provisions governing data protection”. This statement has since been echoed by the European Commission in merger review decisions. For example, in Facebook/WhatsApp, it stated that data protection issues: “do not fall within the scope of the EU competition law rules but [instead] within the scope of the EU data protection rules”. The implication of these statements is clear: competition and data protection are separate issues, governed by separate areas of law.
However, despite this separationist approach, data protection issues have begun to arise more frequently in the EU competition context. One example is merger review decisions under the EU Merger Regulation. Thus, in recent years, the European Commission has been asked to clear mergers and acquisitions involving large companies with data-driven business models, such as Facebook/WhatsApp, Apple/Shazam and Google/Fitbit. Mergers and acquisitions such as these have naturally given rise to concerns about the concentration of large volumes of consumers’ personal data into the hands of a few powerful companies. This could have a detrimental impact on competition (for example, with respect to barriers to entry and consumer lock-in on the relevant markets), but also on consumers’ data protection rights (for example, with respect to consumers’ ability to provide free and informed consent to personal data processing when prompted). It is by no means clear that these competition and data protection issues can be dealt with separately.
A further example of overlap between competition and data protection is provided by the so-called German Facebook case. In 2019, the German competition authority found that Facebook had abused its dominant position in the German social media market, contrary to German competition law. In short, it found that Facebook had used its dominant position to induce German consumers to “consent” to Facebook processing their personal data in a wide-ranging manner when, in reality, given the imbalance of power between Facebook and the German consumers, this consent was not free and informed, as required by data protection law. Having used its dominant position in this way, to the detriment of German consumers, the German competition authority concluded that Facebook had violated German competition law.
It is important to note that the reasoning of the German competition authority has been challenged. However, the case nonetheless provides a striking example of the potential overlap between competition and data protection. This, in turn, begs the question of whether the separationist approach to competition and data protection in EU law remains tenable.
Meta Platforms v Bundeskartellamt
Before long, the CJEU will be forced to confront this question in some form. This is because, in 2021, the German Facebook case was referred to the CJEU, in Case C-252/21 Meta Platforms v Bundeskartellamt. On 20 September 2022, Advocate General Rantos delivered his advisory Opinion on the case (which is available here, and has already been explored at length elsewhere, for example, here). The Opinion sets a thoughtful, if somewhat restrained, tone ahead of the CJEU judgment, which is set to be delivered in due course.
Looking ahead, in the period that we are awaiting the CJEU’s judgment, it will be worth revisiting the insights and arguments raised in the existing literature on the interaction between competition and data protection (see, for example, here). These insights and arguments are already well-developed, and will help to inform our assessment of the CJEU’s eventual reasoning and decision. In particular, we should consider:
- How to strike an appropriate balance between the objectives of competition and data protection law, including when these objectives and their logical consequences conflict;
- Whether competition authorities should, in principle, be able to incorporate data protection issues into their assessments;
- How competition authorities would, in practice, go about incorporating data protection issues into their assessments (for example, how they could potentially cooperate with data protection authorities);
- What impact a shift in approach to the interaction between competition and data protection would have on the interaction between competition and other issues, such as environmental issues; and
- How to account for the status of data protection as a fundamental right under Article 8 of the EU Charter of Fundamental Rights, whose infringement cannot be reversed.
These are not easy questions, and they do not have straightforward answers. However, going forward, there is no doubt that this will be an interesting and important area to watch, with significant potential implications for businesses and consumers alike.