A New Privacy Sheriff in Town – National Competition Authorities Competent to Apply the GDPR

On 4 July 2023, the Court of Justice of the European Union delivered a Grand Chamber ruling affirming the national competition authorities’ power to investigate privacy breaches when conducting abuse of dominance investigations under Article 102 TFEU. Big tech firms will now have extra incentives to reconsider how they collect user data since they may face far-reaching sanctions under the competition rules if the collection is not GDPR compliant.

Background
In 2019, the German national competition authority, prohibited inter alia the social network provider Meta Platforms Ireland (Meta) from collecting data about user activities off the Facebook network – such as data on its users’ visits to third party webpages. It also prohibited processing of that data on the basis of the applicable general terms which did not require consent from the users. In its decision, the authority found that Meta’s processing of its users’ data constituted a violation of the GDPR and therefore also an abuse of its dominant position on the market for online social networks for private users in Germany. In addition, it required Meta to adapt those general terms so that it made clear that those data will neither be collected, nor linked with Facebook user accounts nor used without the consent of the user. It also clarified that such a consent is not valid if it is a condition for using the social network.

Meta challenged the decision, questioning, inter alia, the competition authority’s power to examine Meta’s compliance with the GDPR. The German first instance court decided to stay the proceedings and turn to the Court of Justice (the Court). It wanted to know inter alia
(i) whether a national competition authority could find, when examining compliance with Article 102 TFEU, that the company’s general terms of use for processing user data and the implementation thereof are inconsistent with the GDPR, and, if so, (ii) whether such a finding is possible when the same terms are being investigated, simultaneously, by the competent lead supervisory authority in accordance with the GDPR. It also put forward a number of questions regarding processing of sensitive data and consent under the GDPR but those will not be commented in this blog post.

The National Competition Authority’s Ability to Investigate Privacy Breaches
The Court observed that there is no provision in the GDPR that prevents national competition authorities from finding that a data processing operation carried out by a company in a dominant position constitutes both an abuse of that position and a breach of the GDPR. The compliance or non-compliance with the GDPR could even, according to the Court, be viewed as a vital clue for the competition authorities to establish whether a certain conduct entails an abuse of a dominant position or normal competition.

Therefore, in the context of the examination of an abuse of dominance, it may even be necessary to also examine whether the conduct in question complies with other rules, such as the GDPR. Furthermore, if such a conduct is in breach of the GDPR and constitutes an abuse of a dominant position, the national competition authorities may impose measures to end that abuse, without infringing on the competence of the supervisory authorities reserved under the GDPR.

The Court stressed that access to personal data and processing of such data have become a significant parameter of competition between undertakings in the digital economy. Thus, rules regarding the protection of personal data need to be considered in order not to disregard the reality of this economic development and thereby risk undermining the effectiveness of competition law within the EU.

The Obligation to Cooperate with GDPR Authorities for the sake of Consistency
The Court also points out that if a national competition authority considers it necessary to rule on whether a certain conduct is compliant with the GDPR, then it must also consult and cooperate with the supervisory authority concerned under the GDPR in order to ensure consistency.

This implies that it must first ascertain whether that conduct or any similar conduct is or has already been the subject of a decision by the competent national supervisory authority, the lead supervisory authority or the Court. If so, the competition authority is not allowed to depart from such decision or ruling while still remaining free to draw its own conclusions from the point of view of the application of competition law. It must also ensure to consult and seek their cooperation. In the absence of any objection on their part or of any reply within a reasonable time, the national competition authority may continue its investigation.

Concluding remarks
Companies with strong market power will now have extra incentives to make sure that their behaviour complies with the GDPR since they may face very far-reaching sanctions under the competition rules, including hefty fines and damage claims as well as prohibitions. At the same time, national authorities and courts must act carefully to avoid triggering the ne bis in idem principle protecting companies from double jeopardy.