Digital economy: where antitrust laws and data protection rules interplay

3 octubre, 2023
antitrust laws and data protection

1. Relevant facts

On July 4th, within the context of the verdict concerning a preliminary ruling requested by Düsseldorf’s Higher Regional Court for Civil and Criminal Matters («Higher Court»), the Court of Justice of the European Union («CJEU»), set a landmark precedent regarding the significance of the processing of personal data in the sphere of antitrust law. In particular, the decision addresses the role that non-compliance with personal data protection regulations may have when assessing possible infringements of the antitrust law, specifically in relation to an abuse of dominance, as well as how data protection authorities can and must collaborate with antitrust authorities in cases in which such link between the two regulations arises.

In this case, the High Court was in charge of deciding the appeal filed by Meta against the German antitrust authority’s decision, issued on February 6, 2019, in which such authority determined that, through the collection and use of the personal data of its users, in a manner which was contrary to the provisions set forth by the European General Data Protection Regulation («GDPR»), Meta engaged in an abuse of the dominant position it held in the market for online social networks in Germany.

Specifically, the personal data processing activities disapprove by the German antitrust authority, were those related to the massive collection and processing of information from users of the social network Facebook, both directly on the platform and on other websites or applications (so-called «off-Facebook» data). This processing is a contravention of the principles governing the GDPR and in the absence of a legal basis that would legitimize or justify such processing. In turn, one of the main arguments outlined by Facebook so far has been that the German antitrust authority exceeded its powers since it is the competent data protection authorities the ones who have the power to determine the existence of a breach of the GDPR provisions.

2. What is Meta’s alleged non-compliance with the GDPR?

Under Article 6 of the GDPR, the processing of personal data shall be lawful where, amongst others: the data subject has given informed consent for processing; processing is necessary for the fulfilment of a contract to which the data subject is a party; processing is necessary for compliance with a legal obligation to which the controller is subject (in this case, Meta); or, processing is necessary for the purposes of the legitimate interests pursued by the controller.

Given that Meta’s economic model is based on financing through customized online advertising, aimed at the users of its social networks in accordance with their consumer patterns and interests, the account of the automated profiling of users is based not only on the information that users provide directly at the registration but also on the user information collected on and off the social network (e.g., information about user’s browsing habits through trackers, cookies or plug-ins on third-party websites or platforms belonging to Meta).

Considering the above, the main basis for the processing by Meta of the referred data would be informed consent, granted through the acceptance of the service contract. However, in its 2019 decision, the German competition authority held that such consent was not valid, insofar as it was not freely given. In contrast, the CJEU established that, while the existence of a dominant position of a social network operator does not necessarily prevent users from granting valid consent, this is an element that must be considered when analyzing whether the consent was » freely given», to the extent that such a dominant position may lead to an imbalance between the data controller and the data subject, which may, among other things, result in the imposition of conditions that are not strictly necessary for the performance of the contract.

On the other hand, about the other legal bases for processing, the CJEU pointed out that, as these are situations that allow processing without consent, they must be interpreted restrictively and that it will be the controller who will have the burden of proving the lawfulness of the processing under one of these legal bases. Likewise, upon performing a comprehensive analysis of their application, it did not find that its requirements were met.

By the above, the CJEU sends a strong message regarding the legal bases for the processing of personal data, showing that, informed consent cannot be reduced only to the inclusion of generic texts that must be unconditionally accepted by the data subjects, but must be obtained in full compliance with the principles of the GDPR, allowing the existence of a real free and informed consent.

3. How can an antitrust authority approach a possible legal breach of data protection regulation?

The GDPR sets out the rules for the processing of personal data in the European Union. In parallel, the Treaty on the Functioning of the European Union (TFEU) in its article 102 deals with the abuse of dominant position by undertakings in the single market. The relationship between these two regulations becomes apparent when a Member State competition authority is faced with the need to determine whether a company’s general terms and conditions of service, regarding the processing of personal data, comply with the GDPR. This may occur where a finding of non-compliance with the GDPR is essential for a finding of abuse of a dominant position, as set out in Article 102 TFEU.

In this context, although data protection authorities and national competition authorities have different functions and pursue different objectives and missions, cooperation between these authorities is crucial. The GDPR establishes an obligation of loyal cooperation, which prevents the competition authority from departing from a decision of the data protection authority as regards general conditions related to the processing of personal data.

This cooperation involves several key aspects:

Consultation and cooperation

When a competition authority considers it necessary to examine the compliance of an activity with the provisions set forth in the data protection regulation, such authority must check whether such activity or a similar activity has already been the subject of a decision by the data protection authority. The objective is to ensure a full and fair assessment of the situation.

Not departing from previous decisions

Competition authorities cannot ignore previous decisions of competent data protection authorities or the Court of Justice, regarding the general conditions related to the processing of personal data or similar general terms and conditions related with the subject matter. This avoids duplication of efforts and ensures that interpretations of data protection regulations are respected.

Reasonable time limits

In situations where the competition authorities consider that the general conditions do not comply with the GDPR and there is no prior investigation or decision by the supervisory authorities, they should request cooperation. If no objections are raised and no responses are received within a reasonable time, the competition authority may proceed with its investigation.

Limits the scope of each authority competence

The competition authority does not decide on the application of the data protection regulation to protect the fundamental rights and freedoms of data subjects during the processing or facilitate the free flow of personal data in the EU. As it limits itself to pointing out the non-compliance of a data processing with the GDPR only for the purpose of declaring the existence of an antitrust act (i.e. abuse of a dominant position) and imposing measures aimed at the cessation of such act on a legal basis derived from competition law, does not make use of the powers reserved to the data protection authority.
This collaboration seeks to ensure consistency in the application of the GDPR and prevent fragmentation or contradictory interpretations of data protection regulation in the competition context.

Departing from the scope of the European Union and moving into the field of Colombian regulations, it is worth examining whether it is possible to contemplate scenarios of collaboration between the competition and personal data protection authorities in terms similar to those outlined by the CJEU. In the first place, it should be mentioned that, although the Superintendency of Industry and Commerce is the agency that, as a general rule, operates both as competition authority and data protection authority, it is also true that this function is developed through Delegations which are in principle independent and autonomous from each other. Therefore, there are clear limits between the functions of both delegations regarding their respective spheres of authority. However, this does not necessarily prevent a harmonious collaboration between both delegations, when there is a potential infringement of personal data protection rules that may result, in turn, in a breach of the provisions governing fair competition.

Concerning the above, it is worth mentioning that, based on the general prohibition established by the Colombian competition regulations, which generally prohibits all practices aimed at limiting free competition, there is the possibility that the competition authority may determine, in a given case, that the infringement of the obligations and duties under Colombian laws on the protection of personal data entails a conduct which affects free competition. In addition, some decisions of the Colombian competition authority, regarding merger control, have been issued considering the processing of personal data and compliance with the associated regulations as a determinant factor in the approval or denial of such merger.

Similarly, we are beginning to see decisions of the Colombian data protection authority in which it has mentioned possible non-compliance of the investigated party with the competition laws. It is worth noting that, although these mentions do not imply substantive judgments, they do allow us to see a scenario of collaboration between both authorities. For example, in the context of an investigation in which it was decided that a major telecommunications operator had violated personal data protection regulations, the data protection authority indicated that, although it was not competent to hear complaints related to anti-competitive practices, it was its power to refer them to the relevant authority.

4. Conclusions

In summary, the GDPR and the TFEU establish a connection between the competition authorities and the protection of personal data in the European Union. In this sense, competition authorities can intervene in cases where non-compliance with the GDPR is essential for a finding of abuse of a dominant position by an undertaking.

However, this intervention is subject to close cooperation with data protection supervisory authorities to ensure that privacy rights are adequately protected and that a consistent and effective application of the GDPR is guaranteed in competition-related cases.

Ultimately, this relationship shows how the European Union works to balance the protection of individual privacy rights with the promotion of fair competition in the single market, ensuring that companies operate ethically and in compliance with the law.

On the other hand, in the Colombian scenario, although there have been no decisions by the relevant authorities setting cooperation rules in such a clear fashion as that of the CJEU’s ruling, it is also true that Colombian competition and data protection authorities have begun to consider the link between both areas of law and will, most likely, continue to do so in a more straight forward manner in future cases.

Our Experts

Martha Gaitan

Martha P. Gaitán

Data Privacy

Santiago Lombana

Santiago Lombana

Antitrust and Consumer
Law Coordinator