Com­pe­tence of com­pe­ti­ti­on aut­ho­ri­ties in data pro­tec­tion matters

Is a natio­nal com­pe­ti­ti­on aut­ho­ri­ty allo­wed to estab­lish a breach of data pro­tec­tion law and take mea­su­res against it? With the land­mark decis­i­on of 4 July 2023 (Judgment of 4 July 2023, C‑252/21), the Euro­pean Court of Jus­ti­ce (ECJ) cla­ri­fies the rela­ti­onship bet­ween anti­trust law and data pro­tec­tion law.


The social net­work Face­book, ope­ra­ted by Meta, finan­ces its­elf through online adver­ti­sing. For this pur­po­se, Face­book also crea­tes user pro­files using data coll­ec­ted out­side the social net­work. Users agree to this prac­ti­ce by con­fir­ming the terms of use. The Ger­man Fede­ral Car­tel Office objec­ted to this prac­ti­ce and based its decis­i­on on the assump­ti­on that Face­book is domi­nant in the mar­ket within the mea­ning of § 19 of the Ger­man Com­pe­ti­ti­on Act (GWB) and that a breach of the Gene­ral Data Pro­tec­tion Regu­la­ti­on is suf­fi­ci­ent to sup­po­se abu­si­ve con­duct. Meta appea­led against this to the Düs­sel­dorf Hig­her Regio­nal Court (OLG Düs­sel­dorf), which refer­red seve­ral ques­ti­ons to the ECJ for a preli­mi­na­ry ruling. The core ques­ti­on was whe­ther natio­nal com­pe­ti­ti­on aut­ho­ri­ties can estab­lish and punish brea­ches of the GDPR.

Result and rele­van­ce for companies

In its decis­i­on, the ECJ con­cludes that a natio­nal com­pe­ti­ti­on aut­ho­ri­ty may find that the­re has been a breach of the of the Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR) in the con­text of the assess­ment of whe­ther a domi­nant posi­ti­on is being abu­sed. Howe­ver, the com­pe­tence to exami­ne this issue is limi­t­ed to the ques­ti­on of whe­ther the data pro­tec­tion breach rela­tes to the pro­hi­bi­ti­on of abu­se under anti­trust law sti­pu­la­ted by § 19 (1) of the Ger­man Com­pe­ti­ti­on Act (GWB). In plain lan­guage, this means for com­pa­nies with a domi­nant mar­ket posi­ti­on that they must also fear inter­ven­ti­on by the com­pe­ti­ti­on aut­ho­ri­ties in the event of data pro­tec­tion brea­ches. At the same time, the­se com­pa­nies must also be pre­pared for the fact that data pro­tec­tion aspects will incre­asing­ly be included in gene­ral audits by the anti­trust aut­ho­ri­ties. Howe­ver, the ECJ also cla­ri­fies that the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties and the com­pe­ti­ti­on aut­ho­ri­ties con­ti­nue to per­form dif­fe­rent func­tions and tasks. The com­pe­ti­ti­on aut­ho­ri­ties are the­r­e­fo­re requi­red to con­sult and coope­ra­te with the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties. They are not per­mit­ted to depart from decis­i­ons made by the data pro­tec­tion super­vi­so­ry authorities.


Com­pli­ance with data pro­tec­tion law has alre­a­dy play­ed a role in seve­ral pro­cee­dings befo­re the EU Direc­to­ra­te Gene­ral for Com­pe­ti­ti­on and the Ger­man Fede­ral Car­tel Office. Now that the ECJ has con­firm­ed the pre­vious prac­ti­ce of the aut­ho­ri­ties, data pro­tec­tion aspects will find their way into anti­trust pro­cee­dings on a per­ma­nent basis. Com­pa­nies with a domi­nant mar­ket posi­ti­on must the­r­e­fo­re expect com­pli­ance with data pro­tec­tion requi­re­ments to remain in the focus of the anti­trust aut­ho­ri­ties. Both the Digi­tal Mar­kets Act and the Digi­tal Ser­vices Act are likely to rein­force this trend in the future. Mean­while, the legal dis­pu­te bet­ween Meta and the Ger­man Fede­ral Car­tel Office will for the moment go back to the Düs­sel­dorf Hig­her Regio­nal Court (OLG Düsseldorf).


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.