This contribution discusses the legal complications of the digital revolution on competition law, including a call for action to the European Union to adapt the existing legal framework in order to catch data-driven conduct and ensure effective enforcement. The rise of the digital economy demands (European) policymakers and enforcers to look at ways in which privacy and competition can strengthen each other to address today’s key challenges. In relation to the incorporation of privacy or data protection principles into a substantive competition analysis, the Court of Justice of the European Union (henceforth: CJEU) and the Commission have been very restrictive. However, this contribution argues that this vision is no longer without debate and susceptible to change.
How privacy and competition can be mutually reinforcing
Competition law and data protection law have quite similar objectives. Both regimes aim to protect consumers and contribute to the establishing of an internal market. However, the means by which they try to achieve these objectives, differ from one another.
The General Data Protection Regulation (henceforth: GDPR) aims to provide control to consumers over their digital identities and, thus, serves as a competitive advantage for GDPR compliant companies. Additionally, it serves as a shield to the monetization of personal data, i.e. the conversion of data into revenue by online platforms offering services ‘free of charge’ to customers in exchange for the transfer of their personal data. Nevertheless, the GDPR has received quite some criticism from a growing number of academics and institutions, despite the Commission’s expressed faith in strengthening (existing) rights of individuals. As exemplified before, the issue with the GDPR is its inability to properly enforce the rights included in its legislation. It does not have a so-called ‘silver bullet’, unlike competition law.
Competition law takes an economic approach by acting against distortions of competition. Whereas data protection law, as explained above, takes a human rights approach by giving individuals more control over their personal data. As such, consumers will benefit from a complementing approach, which includes both an economic and a human rights based perspective, to reach the objective of protecting consumers. This argument can be exemplified by looking at the enforcement of data portability, which provides individuals with the right to transmit their data from one controller to another. Under the GDPR, this right is quite limited because it only applies to personal data which is provided by the data-subject. Competition enforcement could step in and help data protection law achieve objectives that data protection law itself cannot reach. Under competition law, a duty to facilitate data portability could extend beyond mere personal data to any data that causes a competition concern. Moreover, in Microsoft/LinkedIn, the Commission acknowledged that data protection can be seen as a dimension of quality and therefore a parameter of competition. One can wonder whether competition enforcement may be used to stimulate a higher level of data protection, for example, through merger control which provides the Commission with the power to impose (data-related) remedies (example of the ‘silver bullet’ of competition law).
The economic nature of competition law suits the price-centric approach of National Competition Authorities (henceforth: NCAs) and the Commission in the competition assessment of an alleged violation of competition rules. However, its current analysis fails to address the implications of the data-driven market such as data protection and privacy concerns because potential harms are difficult to measure in a quantitative assessment.
Case law and Competition decisions
In the last decade, the CJEU rarely examined the intersection between data protection and competition law and the Commission questionably (un-)conditionally cleared many data-driven mergers based on the traditional EU law framework (for example: Google/DoubleClick, Facebook/WhatsApp, Microsoft/LinkedIn). However, the European Commission or the NCAs are not limited to considering a restraint’s impact solely on economic efficiency or price, which leaves room for non-price parameters such as privacy.
The CJEU first considered mutual enforceability of data protection law and competition law in the Asnef-judgement. The CJEU concluded that data protection ‘as such’ falls outside the scope of competition law. Nevertheless, this wording is not absolute and leaves leeway for a more holistic approach. The latter was confirmed in the Allianz/Hungaria-judgement where the CJEU departed from its earlier judgement. The CJEU held that the impairment of objectives pursued by another set of national rules could be taken into account to assess whether there was a restriction of competition.
Challenging the status quo
The incorporation of data protection principles in a competition assessment is already supported in respectively the joint report of the Autorité de la Concurrence and the Bundeskartellamt, multiple opinions by the European Data Protection Supervisor (EDPS) and the Commission’s expert panel report published early this spring. These contributions all cry for a respectively coherent and/or more vigorous competition regime to address data-related theories of harm, i.e. leveraging, consumer lock-in, network effects, and data collection (among more). Nevertheless, proponents of mutual enforcement challenge the negative impact of the data economy on competition based on countervailing benefits from the so-called ‘uncertainty of harm’.
The joint report of the Autorité de la Concurrence and the Bundeskartellamt followed the CJEU’s judgement in Microsoft/LinkedIn, arguing that privacy concerns cannot be excluded from the scope of competition law by virtue of their nature. This was courageously exemplified by the Bundeskartellamt in its pioneering decision against Facebook investigating whether it abused its dominant position through the application of data protection principles. The Bundeskartellamt justified the mutual enforceability of data protection and competition law based on four arguments.
First, the unequal relationship between data-subject and controller justified the examination of conduct of dominant undertakings under both competition law and data protection regulations. Second, according to the interpretation of the Bundeskartellamt the GDPR’s provisions on responsibility and consistency do not exclude application of substantive data protection law by authorities other than the data protection authorities. Third, the GDPR lacks provisions on abusive practices by dominant companies relating to data processing. Fourth, the Bundeskartellamt was in close contact with data protection authorities in the course of the proceedings. Neither of the data protection authorities considered itself to have exclusive competence to deal with the matter.
Facebook’s appeal against this decision to the Düsseldorf Higher Regional Court succeeded. Its victory blocks the regulatory novelty of the Bundeskartellamt‘s decision which aimed at addressing key legal issues, i.e. data and data processing, for the future of competition in our digital economy. The Düsseldorf court expressed that it did not see any anti-competitive result from Facebook’s data collection and processing (it lacked sufficient argumentation on the merits). The Bundeskartellamt commented that it will appeal on points of law to the Federal Court of Justice. Unfortunately, this process may take years while legal innovation is required sooner rather than later, as critics remark, ‘the law is at its limits with the internet giants’.