Com­pe­tence of com­pe­ti­ti­on aut­ho­ri­ties in data pro­tec­tion matters

Is a natio­nal com­pe­ti­ti­on aut­ho­ri­ty allo­wed to estab­lish a breach of data pro­tec­tion law and take mea­su­res against it? With the land­mark decis­i­on of 4 July 2023 (Judgment of 4 July 2023, C‑252/21), the Euro­pean Court of Jus­ti­ce (ECJ) cla­ri­fies the rela­ti­onship bet­ween anti­trust law and data pro­tec­tion law.

Back­ground

The social net­work Face­book, ope­ra­ted by Meta, finan­ces its­elf through online adver­ti­sing. For this pur­po­se, Face­book also crea­tes user pro­files using data coll­ec­ted out­side the social net­work. Users agree to this prac­ti­ce by con­fir­ming the terms of use. The Ger­man Fede­ral Car­tel Office objec­ted to this prac­ti­ce and based its decis­i­on on the assump­ti­on that Face­book is domi­nant in the mar­ket within the mea­ning of § 19 of the Ger­man Com­pe­ti­ti­on Act (GWB) and that a breach of the Gene­ral Data Pro­tec­tion Regu­la­ti­on is suf­fi­ci­ent to sup­po­se abu­si­ve con­duct. Meta appea­led against this to the Düs­sel­dorf Hig­her Regio­nal Court (OLG Düs­sel­dorf), which refer­red seve­ral ques­ti­ons to the ECJ for a preli­mi­na­ry ruling. The core ques­ti­on was whe­ther natio­nal com­pe­ti­ti­on aut­ho­ri­ties can estab­lish and punish brea­ches of the GDPR.

Result and rele­van­ce for companies

In its decis­i­on, the ECJ con­cludes that a natio­nal com­pe­ti­ti­on aut­ho­ri­ty may find that the­re has been a breach of the of the Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR) in the con­text of the assess­ment of whe­ther a domi­nant posi­ti­on is being abu­sed. Howe­ver, the com­pe­tence to exami­ne this issue is limi­t­ed to the ques­ti­on of whe­ther the data pro­tec­tion breach rela­tes to the pro­hi­bi­ti­on of abu­se under anti­trust law sti­pu­la­ted by § 19 (1) of the Ger­man Com­pe­ti­ti­on Act (GWB). In plain lan­guage, this means for com­pa­nies with a domi­nant mar­ket posi­ti­on that they must also fear inter­ven­ti­on by the com­pe­ti­ti­on aut­ho­ri­ties in the event of data pro­tec­tion brea­ches. At the same time, the­se com­pa­nies must also be pre­pared for the fact that data pro­tec­tion aspects will incre­asing­ly be included in gene­ral audits by the anti­trust aut­ho­ri­ties. Howe­ver, the ECJ also cla­ri­fies that the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties and the com­pe­ti­ti­on aut­ho­ri­ties con­ti­nue to per­form dif­fe­rent func­tions and tasks. The com­pe­ti­ti­on aut­ho­ri­ties are the­r­e­fo­re requi­red to con­sult and coope­ra­te with the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties. They are not per­mit­ted to depart from decis­i­ons made by the data pro­tec­tion super­vi­so­ry authorities.

Out­look

Com­pli­ance with data pro­tec­tion law has alre­a­dy play­ed a role in seve­ral pro­cee­dings befo­re the EU Direc­to­ra­te Gene­ral for Com­pe­ti­ti­on and the Ger­man Fede­ral Car­tel Office. Now that the ECJ has con­firm­ed the pre­vious prac­ti­ce of the aut­ho­ri­ties, data pro­tec­tion aspects will find their way into anti­trust pro­cee­dings on a per­ma­nent basis. Com­pa­nies with a domi­nant mar­ket posi­ti­on must the­r­e­fo­re expect com­pli­ance with data pro­tec­tion requi­re­ments to remain in the focus of the anti­trust aut­ho­ri­ties. Both the Digi­tal Mar­kets Act and the Digi­tal Ser­vices Act are likely to rein­force this trend in the future. Mean­while, the legal dis­pu­te bet­ween Meta and the Ger­man Fede­ral Car­tel Office will for the moment go back to the Düs­sel­dorf Hig­her Regio­nal Court (OLG Düsseldorf).