Is competition law taking over data protection claims?
Matthew Hunt and Victoria Baron assess the CJEU’s opinion on Facebook infringing on competition law through data collection practices
The Bundeskartellamt (Federal Cartel Office) made headlines a few years ago with its decision that Facebook had infringed competition law through its data collection practices. After various further steps, including a trip to the German Supreme Court, this long-running saga has now reached its next chapter, in the form of an Opinion from AG Rantos.
The views of AG Rantos on the substantive GDPR questions may well be of interest to those working in data protection, as there have been few opportunities for the higher courts to consider the GDPR to date. However, it is AG Rantos’ thinking on the first topic that is particularly interesting.
AG Rantos considered it “obvious” a competition authority “does not have the competence to make a ruling, primarily, on a breach of [the GDPR] or to impose the penalties envisaged”. However, he reasoned there is nothing in the GDPR which prevents a competition authority “from being able to take account, as an incidental question, of the compatibility of conduct with the provisions of the GDPR”. The competition authority is still assessing whether or not there has been a breach of competition law.
On the other hand, compliance (or non-compliance) with the GDPR “may be a vital clue” as to whether conduct amounts to competition on the merits. AG Rantos refers to the AstraZeneca line of the Court of Justice of the European Union (CJEU) case law, which explains conduct permitted by other legislation can still result in an abuse of dominance, in specifying “conduct relating to data processing may breach competition rules even if it complies with the GDPR”.
AG Rantos also suggests if competition authorities are unable to interpret the GDPR, this could affect the efficacy of EU competition law. This is presumably because if a company isn’t complying with the GDPR, that could be a clue its behaviour is anti-competitive. However, this clue may only come to light if the authority is able to consider the GDPR as part of its competition law assessment.
AG Rantos suggests the “competition authority’s interpretation of the GDPR solely for the purpose of applying the rules (and possibly imposing penalties) provided for by competition law” will not affect the competency and powers of the data protection authorities. Further, the competition authorities are subject to duties of diligence and sincere cooperation requiring them to consult with the relevant data protection supervisory authority and to take account of any GDPR decision or investigation of the competent supervisory authority.
This may well all be true. However, this approach does still seem to offer the competition authorities considerable leeway to pursue data protection issues as a competition law matter, particularly if the data protection authorities are not investigating the issue themselves.
Digital markets are an area of focus for many competition authorities at the moment. There are a number of high-profile ongoing investigations by the European Commission, CMA and other national authorities. In such investigations, authorities may come across issues they consider give rise to data protection issues capable of affecting competition. Alternatively, they may be tempted to follow the Bundeskartellamt’s example and open up new investigations based on data-related issues.
If the CJEU follows AG Rantos’ opinion (which is not guaranteed), it would act as a green light for competition authorities to engage with the GDPR. Competition authorities tend to be larger and more well-resourced than data protection authorities. If they see data protection issues as a means of holding anti-competitive conduct to account, we could see more examples of competition authorities taking the lead on investigations that might seem to fall more obviously within the remit of data protection authorities under the GDPR. Where a company benefits from the GDPR’s one-stop shop principle, it would be frustrating for that company to instead (or simultaneously) have to deal with a competition authority on similar issues.
Even if data protection authorities continue to drive the process, we expect data-related issues to come up in competition law cases on a much more frequent basis in the future. As the importance of data and technology continues to grow in day-to-day life, both competition and data authorities will want to keep a careful watch for conduct that could harm consumers.
Matthew Hunt is a senior associate and Victoria Brown is an associate at Bristows bristows.com