Is competition law taking over data protection claims?

By Matthew Hunt
Matthew Hunt and Victoria Baron assess the CJEU's opinion on Facebook infringing on competition law through data collection practices
The Bundeskartellamt (Federal Cartel Office) made headlines a few years ago with its decision that Facebook had infringed competition law through its data collection practices. After various further steps, including a trip to the German Supreme Court, this long-running saga has now reached its next chapter, in the form of an Opinion from AG Rantos.
The views of AG Rantos on the substantive GDPR questions may well be of interest to those working in data protection, as there have been few opportunities for the higher courts to consider the GDPR to date. However, it is AG Rantos’ thinking on the first topic that is particularly interesting.
AG Rantos considered it “obvious” a competition authority “does not have the competence to make a ruling, primarily, on a breach of [the GDPR] or to impose the penalties envisaged”. However, he reasoned there is nothing in the GDPR which prevents a competition authority “from being able to take account, as an incidental question, of the compatibility of conduct with the provisions of the GDPR”. The competition authority is still assessing whether or not there has been a breach of competition law.
On the other hand, compliance (or non-compliance) with the GDPR “may be a vital clue” as to whether conduct amounts to competition on the merits. AG Rantos refers to the AstraZeneca line of the Court of Justice of the European Union (CJEU) case law, which explains conduct permitted by other legislation can still result in an abuse of dominance, in specifying “conduct relating to data processing may breach competition rules even if it complies with the GDPR”.
AG Rantos also suggests if competition authorities are unable to interpret the GDPR, this could affect the efficacy of EU competition law. This is presumably because if a company isn’t complying with the GDPR, that could be a clue its behaviour is anti-competitive. However, this clue may only come to light if the authority is able to consider the GDPR as part of its competition law assessment.
Practical implications
AG Rantos suggests the “competition authority’s interpretation of the GDPR solely for the purpose of applying the rules (and possibly imposing penalties) provided for by competition law” will not affect the competency and powers of the data protection authorities. Further, the competition authorities are subject to duties of diligence and sincere cooperation requiring them to consult with the relevant data protection supervisory authority and to take account of any GDPR decision or investigation of the competent supervisory authority.
This may well all be true. However, this approach does still seem to offer the competition authorities considerable leeway to pursue data protection issues as a competition law matter, particularly if the data protection authorities are not investigating the issue themselves.
Digital markets are an area of focus for many competition authorities at the moment. There are a number of high-profile ongoing investigations by the European Commission, CMA and other national authorities. In such investigations, authorities may come across issues they consider give rise to data protection issues capable of affecting competition. Alternatively, they may be tempted to follow the Bundeskartellamt’s example and open up new investigations based on data-related issues.









