AG Opinion on Case C-252/21: The Interplay between Data Protection Law and Competition Law

AG Opinion on Case C-252/21: The Interplay between Data Protection Law and Competition Law

 

1. Introduction

On 20 September 2022, Advocate General Rantos of the European Court of Justice delivered an opinion on Case C‑252/21, Meta Platforms Inc., Meta Platforms Ireland and Facebook Deutschland GmbH v Bundeskartellamt (BKA, i.e., the German Competition Authority),[1] a reference for a preliminary ruling from the Oberlandesgericht Düsseldorf (the Higher Regional Court of Düsseldorf) filed on April 2021[2] concerning the interpretation of several provisions of the Regulation (EU) 2016/679 (GDPR) in the much debated proceeding  in which the BKA adopted the provisions of the GDPR as a benchmark to assess Meta Platforms conduct under Section 19 German Competition Act (GWB).

 

2. Background: The proceeding between Meta Platforms and the BKA

On 6 February 2019, the BKA issued a decision against Meta Platforms based on Section 19 GWB, according to which Meta Platforms abused its dominant position on the German market for social networks imposing abusive business terms to the users of the service available at Facebook.com because, as a manifestation of market power, these terms violated the GDPR.

Under Section 19(1) GWB, principles of the legal system that regulate the appropriateness of conditions in unbalanced negotiations (i.e., between consumers and traders) can be taken as a benchmark when assessing whether business terms are abusive under competition law. Consequently, according to the BKA, as the principles of the GDPR address power imbalances in data-driven industries, the GDPR could be used as a standard to assess the “appropriateness” of the data processing conditions of a dominant company.

The BKA focused on assessing whether Meta Platforms’ privacy policy for the service available at Facebook.com violated the GDPR and found that none of the legal bases provided by the GDPR could justify the collection of users’ personal data by Meta Platforms outside the social network,[3] their combination with the data collected from company-owned services (like WhatsApp, Instagram, Oculus and Masquerade)  and the linking of these data to the accounts of users. In particular, as the privacy policy had to be accepted to use the social network, the BKA argued that not even consent could be a valid legal ground because it was not «freely given». Meta Platforms allegedly exploited the scarcity of a service for which there is demand to nudge users to give consent. As a result, Meta Platforms was able to develop very detailed profiles of each user, causing users to lose control over their personal data and harming competition as Meta Platforms could further entrench its dominant position.

As a result, the BKA ordered Meta Platforms to give users residing in Germany the opportunity to choose to use the Facebook.com service without having their personal data combined with data gathered from other Meta Platforms-owned services or from third party websites.

 

3. The Request and the Opinion

Meta Platforms appealed the decision issued by the BKA before the Higher Regional Court of Düsseldorf, which stayed the proceeding and referred a request for a preliminary ruling to the European Court of Justice (hereafter, ECJ).[1]

The Higher Regional Court of Düsseldorf asked seven questions, which, in a nutshell, concerned (i) the competence of a national competition authority to assess a company’s compliance with the GDPR (questions one and seven), (ii) the interpretation of the GDPR provisions applied by the BKA in the case at hand, concerning: the processing of special categories of personal data (question two), the conditions for the lawful processing of personal data (questions three, four and five) and the validity of consent given to an undertaking in dominant position (question six).

As for the interplay between data protection law and competition law, of relevance are the considerations of Advocate General Rantos with regard to the competence of a national competition authority to assess a company’s compliance with the GDPR, and, in the context of this assessment, the relationship between such competition authority and the competent data protection authority. According to Advocate General Rantos, a national competition authority, such as the BKA, while exercising the powers conferred on it by competition law may take into account whether the conduct being investigated is compliant with other regulations, such as the GDPR. This is possible on condition that the competition authority: (i) is carrying out the examination incidentally and therefore without prejudice to the interpretation and the enforcement of the GDPR by the competent data protection authority; (ii) must adopt the interpretation given by the competent supervisory authority and comply with any ruling it has issued with regard to the same/similar conducts; (iii) informs and cooperates with the competent supervisory authority where that authority has begun or is about to begin an investigation of the same practice.

As for the validity of consent given to a dominant undertaking, according to Advocate General Rantos, the dominant position cannot per se render consent invalid. However, the dominant position of the company must be considered in the assessment concerning the freedom of consent, along with several other circumstances, such as the existence of a clear imbalance of power between the user-data subject and the company, whether the provision of a service is conditional on consent to the processing of personal data that is not necessary for its provision, or whether the withdrawal of consent implies negative consequences for the user-data subject.

 

4. The Wider Context

The whole case is part of the broader debate about the definition of the role played by competition law, consumer law and data protection law in digital markets due to the overlapping scope of their application, as in the case of services offered by digital platforms.[2] To this regard, some scholars and authorities advocate for a more comprehensive approach where privacy-related issues are taken into account in the application of antitrust law,[3] while others do not.[4]

According to the first group, data protection law «should act as a normative benchmark for competition law, and the two policies should be applied in a holistic manner when their material scope intersects.»[5] This could be the case in a number of situations, for instance with respect to privacy policies adopted by dominant firms that have a data-centric business model; or when the dominance of the firms is strongly linked to the privileged access to data.

On the other hand, some authors argued that competition law is not the appropriate legal instrument to address unfair clauses imposed by online platforms on final users, which should be assessed under consumer or data protection law. This position is justified with several arguments, inter alia, because the exact point at which privacy degradation should justify the intervention of the authority is hard to determine in cases where, regardless of this degradation, the undertaking offers a product that is nevertheless of higher quality overall. In fact, even if it has been long recognised that anticompetitive effects may manifest through non-price terms and conditions that adversely affect consumers, product quality effects are still relatively difficult to distinguish from price effects. Thus, proving a product-quality case without relying on prices would mean engaging in an evaluation that balances different non-objective and imprecise dimensions.

Against this backdrop, the Opinion recognized that as long as a national competition authority is acting within its powers, there is no reason to exclude from the assessment the compliance with other provisions which could play a role in the investigation of a potential abusive conduct. In markets as the one populated by digital platforms, which are characterised by heavy intersections of different fields of law, antitrust authorities should be free to address conducts that harm competition even if the same conduct could be relevant under other areas of the law.[6] This way, the BKA correctly addressed the challenges posed by the platform economy, in which the shift from price to data had the consequence of paralysing the enforcement of antitrust law to the detriment of the competitive process.

In an attempt to restore a sort of balance, national authorities have tried to devise innovative solutions to protect individuals, and the competitiveness of markets at large, leading to a situation of over-enforcement and fragmentation.  However, the decisions against large digital platforms issued thus far did not prove very successful. Despite all the sanctions imposed, they continue to retain a disproportionate amount of power that allows them to be de facto entities above the law.

Against this backdrop, the Digital Markets Act[7] is likely to change the actual enforcement scenario in Europe. We are heading toward a centralisation model at both regulatory and institutional level, which in the foreseeable future may be able to succeed where a fragmented approach has failed. Although the adoption of a tailor-made regulation for large digital platforms is to be welcomed, the concentration of enforcement powers on the European Commission alone could risk constricting the contribution of national authorities in finding innovative solutions to new developments in the gatekeepers environment. The extent to which such concentration will allow the participation of Member States to the shaping of a fair and contestable digital market in the European Union will depend on the effectiveness of the cooperation mechanisms between national authorities and the European Commission envisaged by the Digital Markets Act.