1. Relevant facts
On July 4th, within the context of the verdict concerning a preliminary ruling requested by Düsseldorf’s Higher Regional Court for Civil and Criminal Matters («Higher Court»), the Court of Justice of the European Union («CJEU»), set a landmark precedent regarding the significance of the processing of personal data in the sphere of antitrust law. In particular, the decision addresses the role that non-compliance with personal data protection regulations may have when assessing possible infringements of the antitrust law, specifically in relation to an abuse of dominance, as well as how data protection authorities can and must collaborate with antitrust authorities in cases in which such link between the two regulations arises.
In this case, the High Court was in charge of deciding the appeal filed by Meta against the German antitrust authority’s decision, issued on February 6, 2019, in which such authority determined that, through the collection and use of the personal data of its users, in a manner which was contrary to the provisions set forth by the European General Data Protection Regulation («GDPR»), Meta engaged in an abuse of the dominant position it held in the market for online social networks in Germany.
Specifically, the personal data processing activities disapprove by the German antitrust authority, were those related to the massive collection and processing of information from users of the social network Facebook, both directly on the platform and on other websites or applications (so-called «off-Facebook» data). This processing is a contravention of the principles governing the GDPR and in the absence of a legal basis that would legitimize or justify such processing. In turn, one of the main arguments outlined by Facebook so far has been that the German antitrust authority exceeded its powers since it is the competent data protection authorities the ones who have the power to determine the existence of a breach of the GDPR provisions.
2. What is Meta’s alleged non-compliance with the GDPR?
Given that Meta’s economic model is based on financing through customized online advertising, aimed at the users of its social networks in accordance with their consumer patterns and interests, the account of the automated profiling of users is based not only on the information that users provide directly at the registration but also on the user information collected on and off the social network (e.g., information about user’s browsing habits through trackers, cookies or plug-ins on third-party websites or platforms belonging to Meta).
Considering the above, the main basis for the processing by Meta of the referred data would be informed consent, granted through the acceptance of the service contract. However, in its 2019 decision, the German competition authority held that such consent was not valid, insofar as it was not freely given. In contrast, the CJEU established that, while the existence of a dominant position of a social network operator does not necessarily prevent users from granting valid consent, this is an element that must be considered when analyzing whether the consent was » freely given», to the extent that such a dominant position may lead to an imbalance between the data controller and the data subject, which may, among other things, result in the imposition of conditions that are not strictly necessary for the performance of the contract.
On the other hand, about the other legal bases for processing, the CJEU pointed out that, as these are situations that allow processing without consent, they must be interpreted restrictively and that it will be the controller who will have the burden of proving the lawfulness of the processing under one of these legal bases. Likewise, upon performing a comprehensive analysis of their application, it did not find that its requirements were met.
By the above, the CJEU sends a strong message regarding the legal bases for the processing of personal data, showing that, informed consent cannot be reduced only to the inclusion of generic texts that must be unconditionally accepted by the data subjects, but must be obtained in full compliance with the principles of the GDPR, allowing the existence of a real free and informed consent.
3. How can an antitrust authority approach a possible legal breach of data protection regulation?
In this context, although data protection authorities and national competition authorities have different functions and pursue different objectives and missions, cooperation between these authorities is crucial. The GDPR establishes an obligation of loyal cooperation, which prevents the competition authority from departing from a decision of the data protection authority as regards general conditions related to the processing of personal data.
This cooperation involves several key aspects:
Consultation and cooperation
Not departing from previous decisions
Reasonable time limits
Limits the scope of each authority competence
Departing from the scope of the European Union and moving into the field of Colombian regulations, it is worth examining whether it is possible to contemplate scenarios of collaboration between the competition and personal data protection authorities in terms similar to those outlined by the CJEU. In the first place, it should be mentioned that, although the Superintendency of Industry and Commerce is the agency that, as a general rule, operates both as competition authority and data protection authority, it is also true that this function is developed through Delegations which are in principle independent and autonomous from each other. Therefore, there are clear limits between the functions of both delegations regarding their respective spheres of authority. However, this does not necessarily prevent a harmonious collaboration between both delegations, when there is a potential infringement of personal data protection rules that may result, in turn, in a breach of the provisions governing fair competition.
Concerning the above, it is worth mentioning that, based on the general prohibition established by the Colombian competition regulations, which generally prohibits all practices aimed at limiting free competition, there is the possibility that the competition authority may determine, in a given case, that the infringement of the obligations and duties under Colombian laws on the protection of personal data entails a conduct which affects free competition. In addition, some decisions of the Colombian competition authority, regarding merger control, have been issued considering the processing of personal data and compliance with the associated regulations as a determinant factor in the approval or denial of such merger.
Similarly, we are beginning to see decisions of the Colombian data protection authority in which it has mentioned possible non-compliance of the investigated party with the competition laws. It is worth noting that, although these mentions do not imply substantive judgments, they do allow us to see a scenario of collaboration between both authorities. For example, in the context of an investigation in which it was decided that a major telecommunications operator had violated personal data protection regulations, the data protection authority indicated that, although it was not competent to hear complaints related to anti-competitive practices, it was its power to refer them to the relevant authority.
However, this intervention is subject to close cooperation with data protection supervisory authorities to ensure that privacy rights are adequately protected and that a consistent and effective application of the GDPR is guaranteed in competition-related cases.
Ultimately, this relationship shows how the European Union works to balance the protection of individual privacy rights with the promotion of fair competition in the single market, ensuring that companies operate ethically and in compliance with the law.
On the other hand, in the Colombian scenario, although there have been no decisions by the relevant authorities setting cooperation rules in such a clear fashion as that of the CJEU’s ruling, it is also true that Colombian competition and data protection authorities have begun to consider the link between both areas of law and will, most likely, continue to do so in a more straight forward manner in future cases.
Martha P. Gaitán