Can a Competition Authority Assess a GDPR Breach?
Data plays a huge role in many organisations’ business models, so data processing issues are increasingly arising in the context of competition law investigations. This leads to a growing overlap between the roles of competition authorities and data protection authorities.
Traditionally, these regulators operate in very different spaces and have very different regulatory functions. However, when investigating a breach of competition law, can a national competition authority (NCA) consider an alleged breach of the General Data Protection Regulation (GDPR)?
A reference from the German courts to the Court of Justice of the European Union (CJEU) in Meta Platforms and Others v Bundeskartellamt (C-252/21) asks that very question.
National Proceedings Leading to the Preliminary Reference
The preliminary reference stems from a finding of the Bundeskartellamt (the German national competition authority or Federal Cartel Office (FCO) in 2019 that Meta – at that time known as Facebook – collected user and device-related data from other corporate services and Meta business tools without the users’ proper consent and collated that data for highly personalised advertising. The FCO found that this heightened barriers to market entry for other competitors and created a ‘lock-in effect’ for users. The FCO, therefore, identified an abuse of a dominant position in the form of exploitative business terms under the German Act against Restraints of Competition.
The FCO argued that NCAs could and should assess data processing activities when investigating companies like Meta to determine their compliance with the GDPR rules, “which are based on constitutional rights” and which “have to be included in assessments of interests under competition law”.
However, this view is controversial. Article 51 of the GDPR entrusts the GDPR policing role to “supervisory authorities”, such as the Irish Data Protection Commission (DPC) and its counterparts in other EU member states. A concern is that allowing an NCA to act as a data protection enforcer goes against Article 51 GDPR. There is also concern that allowing an NCA to investigate GDPR breaches cuts across the “one-stop shop” principle. Given that Meta’s “main establishment” in the EU is in Ireland, Meta argues that the DPC should have investigated any alleged infringements of data protection law.
Meta challenged this decision, leading to a preliminary reference from the German court to the CJEU.
Questions Submitted to the CJEU
Among the questions submitted, the German court asked the CJEU to determine whether:
- an NCA is competent to find an infringement of the GDPR in the course of its competition investigation and make orders to remedy such breach, even if it is not a supervisory authority within the meaning of the GDPR; and
- the DPC findings were valid in light of the DPC’s decision regarding the same subject matter, which reached a different conclusion regarding Meta’s data processing practices.
Opinion of the Advocate General
Last month, the Advocate General at the CJEU Athanasios Rantos published his opinion.
In his opinion, AG Rantos made a distinction between, on the one hand, a “primary” analysis of a breach of the GDPR and, on the other, a “secondary” analysis of GDPR compliance as part of a broader legal and economic context when applying competition rules.
In relation to a “primary” analysis, the Advocate General concluded that an NCA does not have the power to find a breach of the GDPR within its competition proceedings nor to make orders to remedy such breach.
However, on “secondary” analysis, the Advocate General argued that, in exercising its powers as a competition authority, the NCA could consider – in an incidental way – whether a commercial practice is compatible with the GDPR. Considering all the circumstances of the individual case, this could be “an important indication” for the NCA in determining whether that practice constituted a breach of competition law.
Therefore, the Advocate General concluded that while it is not within the powers of an NCA to undertake a “primary” analysis of GDPR compliance, it is open to an NCA to consider GDPR compliance issues that are “secondary” to broader competition analysis.
AG Rantos concluded that because competition and GDPR rules pursue different objectives, allowing an NCA to investigate the same set of facts as previously investigated by a data protection regulator would not create the risk of a double ruling over the same set of facts.
However, AG Rantos also concluded that without established cooperation mechanisms between the two types of authorities, the NCA must under EU law cooperate in good faith with and inform the competent supervisory authority when beginning such investigation. The NCA may have to await the outcome of the supervisory authority’s investigation before starting its assessment. In the present case, the Advocate General considered that the FCO fulfilled this duty by contacting the DPC informally before making the conclusions for its competition proceedings against Meta.
It remains to be seen whether the CJEU will follow this legal assessment. The CJEU is not bound to follow the Advocate General’s opinion but generally does so.
Assuming that the CJEU follows the opinion of the Advocate General in this case, it may be open to the CCPC and other NCAs to take into account, in an incidental way, compliance with the GDPR when investigating alleged breaches of competition law. As these areas of law intersect, businesses of all sizes should address these legal risks in the round.
Contributed by Karolina Rozhnova